Minor changes to wolfSSL MQTT demo files ()

* Clean up demo config for wolfSSL mutual auth. 
* Add comment about picking the correct ROOT CA.
* uncrustify using_wolfSSL.c and some other code style changes.
* Apply suggestions from code review

Co-authored-by: Archit Aggarwal <architag@amazon.com>
pull/494/head^2
Carl Lundin committed by GitHub
parent dfdf2ddf1f
commit a78cb45d12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -76,7 +76,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
*
* #define democonfigCLIENT_IDENTIFIER "insert here."
*/
#define democonfigCLIENT_IDENTIFIER "demoDevice"
/**
* @brief Endpoint of the MQTT broker to connect to.
*
@ -91,7 +91,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
*
* #define democonfigMQTT_BROKER_ENDPOINT "...insert here..."
*/
#define democonfigMQTT_BROKER_ENDPOINT "...insert here..."
/**
* @brief The port to use for the demo.
*
@ -102,7 +102,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
*
* #define democonfigMQTT_BROKER_PORT "...insert here..."
*/
#define democonfigMQTT_BROKER_PORT 8883
/**
* @brief Server's root CA certificate.
*
@ -111,16 +111,19 @@ extern void vLoggingPrintf(const char* pcFormatString,
* in the link below.
* https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs
*
* @note This certificate should be PEM-encoded.
*
* Must include the PEM header and footer:
* "-----BEGIN CERTIFICATE-----\n"\
* "...base64 data...\n"\
* "-----END CERTIFICATE-----\n"
* @note This certificate should be PEM-encoded.
* @note Define the path to the certificate, do not copy and paste the certificate
* contents to this macro.
* @warning If wolfSSL cannot verify the peer when connecting to AWS IoT, try
* using the root CA of Starfield Services found at
* https://www.amazontrust.com/repository/SFSRootCAG2.pem.
* wolfSSL requires that the whole CA certificate chain is trusted. AWS
* certificates are cross signed by this CA.
*
* #define democonfigROOT_CA_PEM "...insert here..."
*/
#define democonfigROOT_CA_PEM "...insert here..."
/**
* @brief Client certificate.
*
@ -129,15 +132,12 @@ extern void vLoggingPrintf(const char* pcFormatString,
* https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html
*
* @note This certificate should be PEM-encoded.
*
* Must include the PEM header and footer:
* "-----BEGIN CERTIFICATE-----\n"\
* "...base64 data...\n"\
* "-----END CERTIFICATE-----\n"
* @note Define the path to the certificate, do not copy and paste the certificate
* contents to this macro.
*
* #define democonfigCLIENT_CERTIFICATE_PEM "...insert here..."
*/
#define democonfigCLIENT_CERTIFICATE_PEM "...insert here..."
/**
* @brief Client's private key.
*
@ -146,15 +146,12 @@ extern void vLoggingPrintf(const char* pcFormatString,
* https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html
*
* @note This private key should be PEM-encoded.
*
* Must include the PEM header and footer:
* "-----BEGIN RSA PRIVATE KEY-----\n"\
* "...base64 data...\n"\
* "-----END RSA PRIVATE KEY-----\n"
* @note define the path to the certificate, do not copy and paste the certificate
* contents to this macro.
*
* #define democonfigCLIENT_PRIVATE_KEY_PEM "...insert here..."
*/
#define democonfigCLIENT_PRIVATE_KEY_PEM "...insert here..."
/**
* @brief Set the stack size of the main demo task.
*

@ -86,51 +86,59 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
*
* @return #TLS_TRANSPORT_SUCCESS, #TLS_TRANSPORT_INSUFFICIENT_MEMORY, or #TLS_TRANSPORT_INTERNAL_ERROR.
*/
static TlsTransportStatus_t initTLS(void);
static TlsTransportStatus_t initTLS( void );
/*
* @brief Receive date from the socket passed as the context
*
* @param[in] ssl WOLFSSL object.
* @param[in] buf Buffer for received data
* @param[in] sz Size to receive
* @param[in] context Socket to be received from
*
* @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_READ.
*/
static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context);
* @brief Receive date from the socket passed as the context
*
* @param[in] ssl WOLFSSL object.
* @param[in] buf Buffer for received data
* @param[in] sz Size to receive
* @param[in] context Socket to be received from
*
* @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_READ.
*/
static int wolfSSL_IORecvGlue( WOLFSSL * ssl,
char * buf,
int sz,
void * context );
/*
* @brief Send date to the socket passed as the context
*
* @param[in] ssl WOLFSSL object.
* @param[in] buf Buffer for data to be sent
* @param[in] sz Size to send
* @param[in] context Socket to be sent to
*
* @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_WRITE.
*/
static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context);
* @brief Send date to the socket passed as the context
*
* @param[in] ssl WOLFSSL object.
* @param[in] buf Buffer for data to be sent
* @param[in] sz Size to send
* @param[in] context Socket to be sent to
*
* @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_WRITE.
*/
static int wolfSSL_IOSendGlue( WOLFSSL * ssl,
char * buf,
int sz,
void * context );
/*-----------------------------------------------------------*/
static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
static int wolfSSL_IORecvGlue( WOLFSSL * ssl,
char * buf,
int sz,
void * context )
{
( void )ssl; /* to prevent unused warning*/
( void ) ssl; /* to prevent unused warning*/
BaseType_t read = 0;
Socket_t xSocket = (Socket_t)context;
Socket_t xSocket = ( Socket_t ) context;
BaseType_t read;
read = FreeRTOS_recv(xSocket, (void*)buf, (size_t)sz, 0);
read = FreeRTOS_recv( xSocket, ( void * ) buf, ( size_t ) sz, 0 );
if ((read == 0 ) ||
(read == -pdFREERTOS_ERRNO_EWOULDBLOCK))
if( ( read == 0 ) ||
( read == -pdFREERTOS_ERRNO_EWOULDBLOCK ) )
{
read = WOLFSSL_CBIO_ERR_WANT_READ;
}
else if (read == -pdFREERTOS_ERRNO_ENOTCONN)
else if( read == -pdFREERTOS_ERRNO_ENOTCONN )
{
read = WOLFSSL_CBIO_ERR_CONN_CLOSE;
}
@ -138,23 +146,25 @@ static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
{
/* do nothing */
}
return (int)read;
return ( int ) read;
}
/*-----------------------------------------------------------*/
static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
static int wolfSSL_IOSendGlue( WOLFSSL * ssl,
char * buf,
int sz,
void * context )
{
( void )ssl; /* to prevent unused warning*/
Socket_t xSocket = (Socket_t)context;
( void ) ssl; /* to prevent unused warning*/
Socket_t xSocket = ( Socket_t ) context;
BaseType_t sent = FreeRTOS_send( xSocket, ( void * ) buf, ( size_t ) sz, 0 );
BaseType_t sent = FreeRTOS_send(xSocket, (void*)buf, (size_t)sz, 0);
if ( sent == -pdFREERTOS_ERRNO_EWOULDBLOCK )
if( sent == -pdFREERTOS_ERRNO_EWOULDBLOCK )
{
sent = WOLFSSL_CBIO_ERR_WANT_WRITE;
}
else if ( sent == -pdFREERTOS_ERRNO_ENOTCONN )
else if( sent == -pdFREERTOS_ERRNO_ENOTCONN )
{
sent = WOLFSSL_CBIO_ERR_CONN_CLOSE;
}
@ -162,138 +172,137 @@ static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
{
/* do nothing */
}
return (int)sent;
return ( int ) sent;
}
/*-----------------------------------------------------------*/
static TlsTransportStatus_t initTLS(void)
static TlsTransportStatus_t initTLS( void )
{
/* initialize wolfSSL */
wolfSSL_Init();
#ifdef DEBUG_WOLFSSL
wolfSSL_Debugging_ON();
#endif
#ifdef DEBUG_WOLFSSL
wolfSSL_Debugging_ON();
#endif
return TLS_TRANSPORT_SUCCESS;
}
/*-----------------------------------------------------------*/
static TlsTransportStatus_t tlsSetup(NetworkContext_t* pNetCtx,
const char* pHostName,
const NetworkCredentials_t* pNetCred )
static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetCtx,
const char * pHostName,
const NetworkCredentials_t * pNetCred )
{
TlsTransportStatus_t returnStatus = TLS_TRANSPORT_SUCCESS;
/*char errString[80];*/
configASSERT(pNetCtx != NULL);
configASSERT(pHostName != NULL);
configASSERT(pNetCred != NULL);
configASSERT(pNetCred->pRootCa != NULL);
configASSERT(pNetCtx->tcpSocket != NULL);
Socket_t xSocket = { 0 };
configASSERT( pNetCtx != NULL );
configASSERT( pHostName != NULL );
configASSERT( pNetCred != NULL );
configASSERT( pNetCred->pRootCa != NULL );
configASSERT( pNetCtx->tcpSocket != NULL );
if (pNetCtx->sslContext.ctx == NULL )
if( pNetCtx->sslContext.ctx == NULL )
{
/* Attempt to create a context that uses the TLS 1.3 or 1.2 */
pNetCtx->sslContext.ctx =
wolfSSL_CTX_new( wolfSSLv23_client_method_ex( NULL ) );
}
if (pNetCtx->sslContext.ctx != NULL )
if( pNetCtx->sslContext.ctx != NULL )
{
/* attempt to load ca cert file, client cert file and client private key file */
if( wolfSSL_CTX_load_verify_locations( pNetCtx->sslContext.ctx,
(const char*)(pNetCred->pRootCa), NULL) == SSL_SUCCESS )
( const char * ) ( pNetCred->pRootCa ), NULL ) == SSL_SUCCESS )
{
if( wolfSSL_CTX_use_certificate_file(pNetCtx->sslContext.ctx,
(const char*)(pNetCred->pClientCert), SSL_FILETYPE_PEM)
== SSL_SUCCESS )
if( wolfSSL_CTX_use_certificate_file( pNetCtx->sslContext.ctx,
( const char * ) ( pNetCred->pClientCert ), SSL_FILETYPE_PEM )
== SSL_SUCCESS )
{
if ( wolfSSL_CTX_use_PrivateKey_file(pNetCtx->sslContext.ctx,
(const char*)(pNetCred->pPrivateKey), SSL_FILETYPE_PEM)
== SSL_SUCCESS)
if( wolfSSL_CTX_use_PrivateKey_file( pNetCtx->sslContext.ctx,
( const char * ) ( pNetCred->pPrivateKey ), SSL_FILETYPE_PEM )
== SSL_SUCCESS )
{
/* create a ssl object */
pNetCtx->sslContext.ssl =
wolfSSL_new(pNetCtx->sslContext.ctx);
pNetCtx->sslContext.ssl =
wolfSSL_new( pNetCtx->sslContext.ctx );
if (pNetCtx->sslContext.ssl != NULL)
if( pNetCtx->sslContext.ssl != NULL )
{
Socket_t xSocket = pNetCtx->tcpSocket;
xSocket = pNetCtx->tcpSocket;
/* set Recv/Send glue functions to the WOLFSSL object */
wolfSSL_SSLSetIORecv(pNetCtx->sslContext.ssl,
wolfSSL_IORecvGlue);
wolfSSL_SSLSetIOSend(pNetCtx->sslContext.ssl,
wolfSSL_IOSendGlue);
wolfSSL_SSLSetIORecv( pNetCtx->sslContext.ssl,
wolfSSL_IORecvGlue );
wolfSSL_SSLSetIOSend( pNetCtx->sslContext.ssl,
wolfSSL_IOSendGlue );
/* set socket as a context of read/send glue funcs */
wolfSSL_SetIOReadCtx(pNetCtx->sslContext.ssl, xSocket);
wolfSSL_SetIOWriteCtx(pNetCtx->sslContext.ssl, xSocket);
wolfSSL_SetIOReadCtx( pNetCtx->sslContext.ssl, xSocket );
wolfSSL_SetIOWriteCtx( pNetCtx->sslContext.ssl, xSocket );
/* let wolfSSL perform tls handshake */
if (wolfSSL_connect(pNetCtx->sslContext.ssl)
== SSL_SUCCESS)
if( wolfSSL_connect( pNetCtx->sslContext.ssl )
== SSL_SUCCESS )
{
returnStatus = TLS_TRANSPORT_SUCCESS;
}
else
{
wolfSSL_shutdown(pNetCtx->sslContext.ssl);
wolfSSL_free(pNetCtx->sslContext.ssl);
wolfSSL_shutdown( pNetCtx->sslContext.ssl );
wolfSSL_free( pNetCtx->sslContext.ssl );
pNetCtx->sslContext.ssl = NULL;
wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
LogError(("Failed to establish a TLS connection"));
LogError( ( "Failed to establish a TLS connection" ) );
returnStatus = TLS_TRANSPORT_HANDSHAKE_FAILED;
}
}
else
{
wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
LogError(("Failed to create wolfSSL object"));
LogError( ( "Failed to create wolfSSL object" ) );
returnStatus = TLS_TRANSPORT_INTERNAL_ERROR;
}
}
else
{
wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
LogError(("Failed to load client-private-key file"));
LogError( ( "Failed to load client-private-key file" ) );
returnStatus = TLS_TRANSPORT_INVALID_CREDENTIALS;
}
}
else
{
wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
LogError(("Failed to load client-certificate file"));
LogError( ( "Failed to load client-certificate file" ) );
returnStatus = TLS_TRANSPORT_INVALID_CREDENTIALS;
}
}
else
{
wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
LogError(("Failed to load ca-certificate file"));
LogError( ( "Failed to load ca-certificate file" ) );
returnStatus = TLS_TRANSPORT_INVALID_CREDENTIALS;
}
}
else
{
LogError(("Failed to create a wolfSSL_CTX"));
LogError( ( "Failed to create a wolfSSL_CTX" ) );
returnStatus = TLS_TRANSPORT_CONNECT_FAILURE;
}
return returnStatus;
}
@ -311,7 +320,7 @@ TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
{
TlsTransportStatus_t returnStatus = TLS_TRANSPORT_SUCCESS;
BaseType_t socketStatus = 0;
if( ( pNetworkContext == NULL ) ||
( pHostName == NULL ) ||
@ -350,7 +359,7 @@ TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
/* Initialize tls. */
if( returnStatus == TLS_TRANSPORT_SUCCESS )
{
{
returnStatus = initTLS();
}
@ -382,21 +391,23 @@ TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
void TLS_FreeRTOS_Disconnect( NetworkContext_t * pNetworkContext )
{
WOLFSSL* pSsl = pNetworkContext->sslContext.ssl;
WOLFSSL * pSsl = pNetworkContext->sslContext.ssl;
WOLFSSL_CTX * pCtx = NULL;
/* shutdown an active TLS connection */
wolfSSL_shutdown(pSsl);
wolfSSL_shutdown( pSsl );
/* cleanup WOLFSSL object */
wolfSSL_free(pSsl);
wolfSSL_free( pSsl );
pNetworkContext->sslContext.ssl = NULL;
/* Call socket shutdown function to close connection. */
Sockets_Disconnect(pNetworkContext->tcpSocket);
Sockets_Disconnect( pNetworkContext->tcpSocket );
/* free WOLFSSL_CTX object*/
WOLFSSL_CTX* pCtx = pNetworkContext->sslContext.ctx;
wolfSSL_CTX_free(pCtx);
pCtx = pNetworkContext->sslContext.ctx;
wolfSSL_CTX_free( pCtx );
pNetworkContext->sslContext.ctx = NULL;
wolfSSL_Cleanup();
@ -409,21 +420,26 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
size_t bytesToRecv )
{
int32_t tlsStatus = 0;
int iResult = 0;
WOLFSSL* pSsl = pNetworkContext->sslContext.ssl;
int iResult = 0;
WOLFSSL * pSsl = pNetworkContext->sslContext.ssl;
iResult = wolfSSL_read( pSsl, pBuffer, bytesToRecv );
if (iResult > 0)
if( iResult > 0 )
{
tlsStatus = iResult;
else if ( wolfSSL_want_read( pSsl ) == 1 )
}
else if( wolfSSL_want_read( pSsl ) == 1 )
{
tlsStatus = 0;
}
else
{
tlsStatus = wolfSSL_state( pSsl );
LogError(("Error from wolfSSL_read %d : %s ",
iResult, wolfSSL_ERR_reason_error_string( tlsStatus )));
LogError( ( "Error from wolfSSL_read %d : %s ",
iResult, wolfSSL_ERR_reason_error_string( tlsStatus ) ) );
}
return tlsStatus;
}
@ -434,21 +450,26 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
size_t bytesToSend )
{
int32_t tlsStatus = 0;
int iResult = 0;
WOLFSSL* pSsl = pNetworkContext->sslContext.ssl;
int iResult = 0;
WOLFSSL * pSsl = pNetworkContext->sslContext.ssl;
iResult = wolfSSL_write( pSsl, pBuffer, bytesToSend );
if (iResult > 0)
if( iResult > 0 )
{
tlsStatus = iResult;
else if( wolfSSL_want_write( pSsl ) == 1)
}
else if( wolfSSL_want_write( pSsl ) == 1 )
{
tlsStatus = 0;
}
else
{
tlsStatus = wolfSSL_state(pSsl);
LogError(("Error from wolfSL_write %d : %s ",
iResult, wolfSSL_ERR_reason_error_string( tlsStatus )));
tlsStatus = wolfSSL_state( pSsl );
LogError( ( "Error from wolfSL_write %d : %s ",
iResult, wolfSSL_ERR_reason_error_string( tlsStatus ) ) );
}
return tlsStatus;
}
/*-----------------------------------------------------------*/

Loading…
Cancel
Save