client-tls13.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483
  1. /* client-tls13.c
  2. *
  3. * Copyright (C) 2006-2024 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. /* C Standard Library */
  22. #include <stdlib.h>
  23. #include <stdio.h>
  24. #include <string.h>
  25. #include <time.h>
  26. /* POSIX Library */
  27. #include <sys/socket.h>
  28. #include <arpa/inet.h>
  29. #include <netinet/in.h>
  30. #include <unistd.h>
  31. /* wolfSSL Library */
  32. #include <wolfssl/options.h>
  33. #include <wolfssl/ssl.h>
  34. #include <wolfssl/wolfio.h>
  35. #include <wolfssl/wolfcrypt/port/iotsafe/iotsafe.h>
  36. #include <wolfssl/error-ssl.h>
  37. /* IoTSAFE Certificate slots */
  38. /* File Slot '02' is pre-provisioned with
  39. * the client ECC public key certificate.
  40. */
  41. #define CRT_CLIENT_FILE_ID 0x02
  42. /* File Slot '03' is pre-provisioned with the
  43. * server ECC public key certificate.
  44. */
  45. #define CRT_SERVER_FILE_ID 0x03
  46. /* IoTSAFE Key slots */
  47. /* Key slot '01' is pre-provisioned with
  48. * the client ECC private key.
  49. */
  50. #define PRIVKEY_ID 0x01
  51. /* Key slot '04' is used to generate the ECDH
  52. * key pair that will be used during the TLS
  53. * session.
  54. */
  55. #define ECDH_KEYPAIR_ID 0x04
  56. /* Key slot '05' is used to store the ECDH public
  57. * key received from the peer during the TLS
  58. * session.
  59. */
  60. #define PEER_PUBKEY_ID 0x05
  61. /* Key slot '05' is used to store the public key
  62. * used for ECC verification - disabled in IoTSAFE.
  63. */
  64. #define PEER_CERT_ID 0x05
  65. /* Function Declarations */
  66. extern int client_loop(const char *peer_ip, const char *peer_name,
  67. const char *peer_port, const char *temperature);
  68. #if defined(USE_SECRET_CALLBACK)
  69. static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret,
  70. int secretSz, void* ctx);
  71. #endif
  72. /* Function Definitions */
  73. #if defined(USE_SECRET_CALLBACK)
  74. #ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT
  75. #define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log"
  76. #endif
  77. /* Callback function for TLS v1.3 secrets for use with Wireshark */
  78. static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret,
  79. int secretSz, void* ctx)
  80. {
  81. int i;
  82. const char* str = NULL;
  83. unsigned char clientRandom[32];
  84. size_t clientRandomSz;
  85. XFILE fp = stderr;
  86. if (ctx) {
  87. fp = XFOPEN((const char*)ctx, "ab");
  88. if (fp == XBADFILE) {
  89. return BAD_FUNC_ARG;
  90. }
  91. }
  92. clientRandomSz = wolfSSL_get_client_random(ssl, clientRandom,
  93. sizeof(clientRandom));
  94. switch (id) {
  95. case CLIENT_EARLY_TRAFFIC_SECRET:
  96. str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
  97. case EARLY_EXPORTER_SECRET:
  98. str = "EARLY_EXPORTER_SECRET"; break;
  99. case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
  100. str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break;
  101. case SERVER_HANDSHAKE_TRAFFIC_SECRET:
  102. str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break;
  103. case CLIENT_TRAFFIC_SECRET:
  104. str = "CLIENT_TRAFFIC_SECRET_0"; break;
  105. case SERVER_TRAFFIC_SECRET:
  106. str = "SERVER_TRAFFIC_SECRET_0"; break;
  107. case EXPORTER_SECRET:
  108. str = "EXPORTER_SECRET"; break;
  109. }
  110. fprintf(fp, "%s ", str);
  111. for (i = 0; i < (int)clientRandomSz; i++) {
  112. fprintf(fp, "%02x", clientRandom[i]);
  113. }
  114. fprintf(fp, " ");
  115. for (i = 0; i < secretSz; i++) {
  116. fprintf(fp, "%02x", secret[i]);
  117. }
  118. fprintf(fp, "\n");
  119. if (fp != stderr) {
  120. XFCLOSE(fp);
  121. }
  122. return 0;
  123. }
  124. #endif /* USE_SECRET_CALLBACK */
  125. int client_loop(const char *peer_ip, const char *peer_name,
  126. const char *peer_port, const char *temperature)
  127. {
  128. int ret = 0;
  129. /* Declare TCP objects */
  130. int sockfd = -1;
  131. struct sockaddr_in servAddr = {0};
  132. /* Declare TCP messaging buffer */
  133. char buff[2048] = {0};
  134. size_t len = 0;
  135. /* Declare certificate temporary buffer */
  136. uint8_t cert_buffer[2048] = {0};
  137. uint32_t cert_buffer_size = 0;
  138. uint8_t *cert_iter = NULL;
  139. /* Declare wolfSSL objects */
  140. WOLFSSL_CTX* ctx = NULL;
  141. WOLFSSL* ssl = NULL;
  142. WC_RNG rng = {0};
  143. char randombytes[16] = {0};
  144. /* Construct HTTP POST */
  145. /* Header */
  146. strcat(buff, "POST /iot/device HTTP/1.1\r\n");
  147. strcat(buff, "Content-Type: application/json\r\n");
  148. strcat(buff, "Content-Length: 1000\r\n");
  149. strcat(buff, "Accept: */*\r\n");
  150. strcat(buff, "Host: ");
  151. strcat(buff, peer_name);
  152. strcat(buff, ":");
  153. strcat(buff, peer_port);
  154. strcat(buff, "\r\n");
  155. /* Delimiter */
  156. strcat(buff, "\r\n");
  157. /* Body */
  158. srand(time(NULL));
  159. int devid = rand() % 100;
  160. char snum[5] = {0};
  161. snprintf(snum, sizeof(snum), "%d", devid);
  162. strcat(buff, "{");
  163. strcat(buff, "\"deviceId\": \"");
  164. strcat(buff, snum);
  165. strcat(buff, "\",");
  166. strcat(buff, "\"sensorType\": \"Temperature\",");
  167. strcat(buff, "\"sensorValue\": \"");
  168. strcat(buff, temperature);
  169. strcat(buff, "\",");
  170. strcat(buff, "\"sensorUnit\": \"Celsius\",");
  171. strcat(buff, "\"sensorTime\": 1582181510");
  172. strcat(buff, "}");
  173. strcat(buff, "\r\n");
  174. printf("\n\nPOST REQUEST\n\n%s\n\n", buff);
  175. /*---------------------------------*/
  176. /* Start of Socket */
  177. /*---------------------------------*/
  178. printf("---- Preparing TCP socket\n");
  179. /* Create a socket that uses an internet IPv4 address,
  180. * Sets the socket to be stream based (TCP),
  181. * 0 means choose the default protocol. */
  182. printf("---- Creating socket\n");
  183. if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  184. {
  185. fprintf(stderr, "ERROR: failed to create the socket\n");
  186. ret = -1;
  187. goto exit;
  188. }
  189. /* Fill in the server address */
  190. printf("Peer port: %s\n", peer_port);
  191. servAddr.sin_family = AF_INET; /* Using IPv4 */
  192. servAddr.sin_port = htons(atoi(peer_port));
  193. /* Get the server IPv4 address from the command line call */
  194. printf("---- Checking peer IP address\n");
  195. printf("Peer IP address: %s <IPv4 address>\n", peer_ip);
  196. if (inet_pton(AF_INET, peer_ip, &servAddr.sin_addr) != 1)
  197. {
  198. fprintf(stderr, "ERROR: invalid peer IP address\n");
  199. ret = -1;
  200. goto exit;
  201. }
  202. /* Connect to the server */
  203. printf("---- Connecting to the peer socket\n");
  204. if ((ret = connect(sockfd, (struct sockaddr*) &servAddr, sizeof(servAddr)))
  205. == -1)
  206. {
  207. fprintf(stderr, "ERROR: failed to connect\n");
  208. goto exit;
  209. }
  210. printf("---- TCP socket connection established\n");
  211. /*---------------------------------*/
  212. /* Start of Security */
  213. /*---------------------------------*/
  214. printf("---- Preparing wolfSSL TLS 1.3\n");
  215. /* Initialize wolfSSL */
  216. printf("---- Initializing wolfSSL\n");
  217. if ((ret = wolfSSL_Init()) != WOLFSSL_SUCCESS)
  218. {
  219. fprintf(stderr, "ERROR: Failed to initialize the library\n");
  220. goto exit;
  221. }
  222. /* Allow debug print in wolfSSL */
  223. printf("---- Allowing debug print in wolfSSL\n");
  224. if ((ret = wolfSSL_Debugging_ON()) != 0)
  225. {
  226. fprintf(stderr, "WARNING: Failed to enable wolfSSL debug print\n");
  227. }
  228. /* Initialize RNG */
  229. printf("---- Initializing RNG\n");
  230. if ((ret = wc_InitRng(&rng)) != 0)
  231. {
  232. fprintf(stderr, "ERROR: Failed to initialize the random number generator\n");
  233. goto exit;
  234. }
  235. /* Obtain a sample RND */
  236. printf("---- Testing getting RND\n");
  237. if ((ret = wc_RNG_GenerateBlock(
  238. &rng,
  239. (byte*)randombytes,
  240. sizeof(randombytes)))
  241. != 0)
  242. {
  243. fprintf(stderr, "ERROR: Failed to get random numbers\n");
  244. goto exit;
  245. }
  246. else
  247. {
  248. printf("Random bytes: ");
  249. for (uint8_t i = 0; i < sizeof(randombytes); i++)
  250. printf("%02X", (unsigned int)randombytes[i]);
  251. printf("\n");
  252. }
  253. /* Create and initialize WOLFSSL_CTX */
  254. printf("---- Creating wolfSSL TLS 1.3 context object\n");
  255. if ((ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())) == NULL)
  256. {
  257. fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
  258. ret = -1;
  259. goto exit;
  260. }
  261. /* Initialize IoTSAFE */
  262. printf("---- Enabling IoTSAFE\n");
  263. if ((ret = wolfSSL_CTX_iotsafe_enable(ctx)) != 0)
  264. {
  265. fprintf(stderr, "ERROR: Failed to initialize IoTSAFE\n");
  266. goto exit;
  267. }
  268. /* Extract client certificate from IoTSAFE*/
  269. printf("---- Extracting client certificate from IoTSAFE\n");
  270. if ((cert_buffer_size = wolfIoTSafe_GetCert(
  271. CRT_CLIENT_FILE_ID,
  272. cert_buffer,
  273. sizeof(cert_buffer)))
  274. < 1)
  275. {
  276. fprintf(stderr, "ERROR: Bad client certificate\n");
  277. ret = -1;
  278. goto exit;
  279. }
  280. /* Print extracted client certificate */
  281. printf("---- Printing extracted client certificate\n");
  282. cert_iter = (uint8_t*)&cert_buffer;
  283. printf("Extracted client certificate in HEX:\n");
  284. for (uint32_t i = 0; i < cert_buffer_size; i++)
  285. printf("%02X", (unsigned int)*(cert_iter++));
  286. printf("\n");
  287. /* Load client certificate */
  288. printf("---- Loading client certificate\n");
  289. if ((ret = wolfSSL_CTX_use_certificate_buffer(ctx, cert_buffer,
  290. cert_buffer_size, WOLFSSL_FILETYPE_ASN1))
  291. != WOLFSSL_SUCCESS)
  292. {
  293. fprintf(stderr, "ERROR: Failed to load client certificate\n");
  294. return -1;
  295. }
  296. /* Extract server certificate from IoTSAFE*/
  297. printf("---- Extracting server certificate from IoTSAFE\n");
  298. if ((cert_buffer_size = wolfIoTSafe_GetCert(
  299. CRT_SERVER_FILE_ID,
  300. cert_buffer,
  301. sizeof(cert_buffer)))
  302. < 1)
  303. {
  304. fprintf(stderr, "ERROR: Bad server certificate\n");
  305. ret = -1;
  306. goto exit;
  307. }
  308. /* Print extracted server certificate */
  309. printf("---- Printing extracted server certificate\n");
  310. cert_iter = (uint8_t*)&cert_buffer;
  311. printf("Extracted server certificate in HEX:\n");
  312. for (uint32_t i = 0; i < cert_buffer_size; i++)
  313. printf("%02X", (unsigned int)*(cert_iter++));
  314. printf("\n");
  315. /* Load server certificate */
  316. printf("---- Loading server certificate\n");
  317. if ((ret = wolfSSL_CTX_trust_peer_buffer(ctx, cert_buffer,
  318. cert_buffer_size, WOLFSSL_FILETYPE_ASN1))
  319. != WOLFSSL_SUCCESS)
  320. {
  321. fprintf(stderr, "ERROR: Failed to load server certificate\n");
  322. return -1;
  323. }
  324. /* Set client to authenticate server */
  325. printf("---- Enabling client to authenticate server\n");
  326. wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
  327. /* Create a WOLFSSL object */
  328. printf("---- Creating wolfSSL TLS 1.3 connection object\n");
  329. if ((ssl = wolfSSL_new(ctx)) == NULL)
  330. {
  331. fprintf(stderr, "ERROR: failed to create WOLFSSL object\n");
  332. ret = -1;
  333. goto exit;
  334. }
  335. /* Attach IoTSAFE usage to the wolfSSL */
  336. printf("---- Using IoTSAFE for TLS 1.3\n");
  337. if ((ret = wolfSSL_iotsafe_on(
  338. ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID,
  339. PEER_PUBKEY_ID, PEER_CERT_ID))
  340. != 0)
  341. {
  342. fprintf(stderr, "ERROR: Failed to use IoTSAFE\n");
  343. goto exit;
  344. }
  345. /* Attach wolfSSL to the socket */
  346. printf("---- Attaching TLS 1.3 to the socket\n");
  347. if ((ret = wolfSSL_set_fd(ssl, sockfd)) != WOLFSSL_SUCCESS)
  348. {
  349. fprintf(stderr, "ERROR: Failed to set the file descriptor\n");
  350. goto exit;
  351. }
  352. #ifdef USE_SECRET_CALLBACK
  353. /* Logging usage for wireshark */
  354. printf("---- Attaching TLS 1.3 secret callback for wireshark\n");
  355. if ((ret = wolfSSL_set_tls13_secret_cb(
  356. ssl,
  357. Tls13SecretCallback,
  358. (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT))
  359. != WOLFSSL_SUCCESS)
  360. {
  361. fprintf(stderr, "ERROR: Failed to set the secret callback\n");
  362. goto exit;
  363. }
  364. #endif
  365. /* Connect to wolfSSL on the server side */
  366. printf("---- Start TLS 1.3 handshaking\n");
  367. if ((ret = wolfSSL_connect(ssl)) != WOLFSSL_SUCCESS)
  368. {
  369. fprintf(stderr, "ERROR: failed to connect to wolfSSL\n");
  370. goto exit;
  371. }
  372. printf("---- wolfSSL TLS 1.3 connection established\n");
  373. /*---------------------------------*/
  374. /* Start of Communication */
  375. /*---------------------------------*/
  376. printf("---- Communication starts\n");
  377. /* Get a message for the server from stdin */
  378. printf("Enter message for server:\n");
  379. printf("[OUT]:\n");
  380. printf("\n\n%s\n\n", buff);
  381. len = strlen(buff);
  382. /* Send the message to the server */
  383. printf("Sending message to the server\n");
  384. if ((size_t) (ret = wolfSSL_write(ssl, buff, len)) != len)
  385. {
  386. fprintf(stderr, "ERROR: failed to write entire message\n");
  387. fprintf(stderr, "%d bytes of %d bytes were sent\n", ret, (int) len);
  388. goto exit;
  389. }
  390. /* Read the server data into our buff array */
  391. printf("Receiving message from the server\n");
  392. memset(buff, 0, sizeof(buff));
  393. if ((ret = wolfSSL_read(ssl, buff, sizeof(buff) - 1)) < 0)
  394. {
  395. fprintf(stderr, "ERROR: failed to read\n");
  396. goto exit;
  397. }
  398. /* Print to stdout any data the server sends */
  399. printf("[IN] :\n%s\n", buff);
  400. /* Return reporting a success */
  401. ret = 0;
  402. printf("---- Communication ends\n");
  403. exit:
  404. /* Cleanup and return */
  405. if (sockfd != -1)
  406. close(sockfd); /* Close the connection to the server */
  407. if (ssl)
  408. wolfSSL_free(ssl); /* Free the wolfSSL object */
  409. if (ctx)
  410. wolfSSL_CTX_free(ctx); /* Free the wolfSSL context object */
  411. wc_FreeRng(&rng); /* Cleanup the RNG */
  412. wolfSSL_Cleanup(); /* Cleanup the wolfSSL environment */
  413. return ret;
  414. }