int main( void )
{
int ret, len;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[1024];
const char *pers = "dtls_server";
unsigned char client_ip[16] = { 0 };
size_t cliip_len;
mbedtls_ssl_cookie_ctx cookie_ctx;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
mbedtls_timing_delay_context timer;
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache;
#endif
mbedtls_net_init( &listen_fd );
mbedtls_net_init( &client_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ssl_cookie_init( &cookie_ctx );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init( &cache );
#endif
mbedtls_x509_crt_init( &srvcert );
mbedtls_pk_init( &pkey );
mbedtls_entropy_init( &entropy );
mbedtls_ctr_drbg_init( &ctr_drbg );
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( DEBUG_LEVEL );
#endif
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use mbedtls_x509_crt_parse_file() to read the
* server and CA certificates, as well as mbedtls_pk_parse_keyfile().
*/
ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the "listening" UDP socket
*/
printf( " . Bind on udp/*/4433 ..." );
fflush( stdout );
if( ( ret = mbedtls_net_bind( &listen_fd, NULL, "4433", MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
printf( " failed\n ! mbedtls_net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Seed the RNG
*/
printf( " . Seeding the random number generator..." );
fflush( stdout );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the DTLS data..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache( &conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set );
#endif
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_cookie_setup( &cookie_ctx,
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_cookie_setup returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
&cookie_ctx );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
printf( " ok\n" );
reset:
#ifdef MBEDTLS_ERROR_C
if( ret != 0 )
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
mbedtls_net_free( &client_fd );
mbedtls_ssl_session_reset( &ssl );
/*
* 3. Wait until a client connects
*/
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = mbedtls_net_accept( &listen_fd, &client_fd,
client_ip, sizeof( client_ip ), &cliip_len ) ) != 0 )
{
printf( " failed\n ! mbedtls_net_accept returned %d\n\n", ret );
goto exit;
}
/* For HelloVerifyRequest cookies */
if( ( ret = mbedtls_ssl_set_client_transport_id( &ssl,
client_ip, cliip_len ) ) != 0 )
{
printf( " failed\n ! "
"mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n", -ret );
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &client_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout );
printf( " ok\n" );
/*
* 5. Handshake
*/
printf( " . Performing the DTLS handshake..." );
fflush( stdout );
do ret = mbedtls_ssl_handshake( &ssl );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
{
printf( " hello verification requested\n" );
ret = 0;
goto reset;
}
else if( ret != 0 )
{
printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
goto reset;
}
printf( " ok\n" );
/*
* 6. Read the echo Request
*/
printf( " < Read from client:" );
fflush( stdout );
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret <= 0 )
{
switch( ret )
{
case MBEDTLS_ERR_SSL_TIMEOUT:
printf( " timeout\n\n" );
goto reset;
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
ret = 0;
goto close_notify;
default:
printf( " mbedtls_ssl_read returned -0x%x\n\n", -ret );
goto reset;
}
}
len = ret;
printf( " %d bytes read\n\n%s\n\n", len, buf );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
do ret = mbedtls_ssl_write( &ssl, buf, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret < 0 )
{
printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto exit;
}
len = ret;
printf( " %d bytes written\n\n%s\n\n", len, buf );
/*
* 8. Done, cleanly close the connection
*/
close_notify:
printf( " . Closing the connection..." );
/* No error checking, the connection might be closed already */
do ret = mbedtls_ssl_close_notify( &ssl );
while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
ret = 0;
printf( " done\n" );
goto reset;
/*
* Final clean-ups and exit
*/
exit:
#ifdef MBEDTLS_ERROR_C
if( ret != 0 )
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
printf( "Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
mbedtls_net_free( &client_fd );
mbedtls_net_free( &listen_fd );
mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ssl_cookie_free( &cookie_ctx );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free( &cache );
#endif
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
/* Shell can not handle large exit numbers -> 1 for errors */
if( ret < 0 )
ret = 1;
return( ret );
}
DTLSContext *HAL_DTLSSession_create(coap_dtls_options_t *p_options)
{
char port[6] = {0};
int result = 0;
dtls_session_t *p_dtls_session = NULL;
p_dtls_session = _DTLSSession_init();
if (NULL != p_dtls_session) {
mbedtls_ssl_config_init(&p_dtls_session->conf);
result = mbedtls_ctr_drbg_seed(&p_dtls_session->ctr_drbg, mbedtls_entropy_func, &p_dtls_session->entropy,
(const unsigned char *)"IoTx",
strlen("IoTx"));
if (0 != result) {
DTLS_ERR("mbedtls_ctr_drbg_seed result 0x%04x\r\n", result);
goto error;
}
result = mbedtls_ssl_config_defaults(&p_dtls_session->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (0 != result) {
DTLS_ERR("mbedtls_ssl_config_defaults result 0x%04x\r\n", result);
goto error;
}
mbedtls_ssl_conf_rng(&p_dtls_session->conf, mbedtls_ctr_drbg_random, &p_dtls_session->ctr_drbg);
mbedtls_ssl_conf_dbg(&p_dtls_session->conf, _DTLSLog_wrapper, NULL);
result = mbedtls_ssl_cookie_setup(&p_dtls_session->cookie_ctx,
mbedtls_ctr_drbg_random, &p_dtls_session->ctr_drbg);
if (0 != result) {
DTLS_ERR("mbedtls_ssl_cookie_setup result 0x%04x\r\n", result);
goto error;
}
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dtls_cookies(&p_dtls_session->conf, mbedtls_ssl_cookie_write,
mbedtls_ssl_cookie_check, &p_dtls_session->cookie_ctx);
#endif
result = _DTLSVerifyOptions_set(p_dtls_session, p_options->p_ca_cert_pem);
if (DTLS_SUCCESS != result) {
DTLS_ERR("DTLSVerifyOptions_set result 0x%04x\r\n", result);
goto error;
}
sprintf(port, "%u", p_options->port);
result = mbedtls_net_connect(&p_dtls_session->fd, p_options->p_host,
port, MBEDTLS_NET_PROTO_UDP);
if (0 != result) {
DTLS_ERR("mbedtls_net_connect result 0x%04x\r\n", result);
goto error;
}
#ifdef MBEDTLS_SSL_PROTO_DTLS
if (p_dtls_session->conf.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
mbedtls_ssl_conf_min_version(&p_dtls_session->conf,
MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_max_version(&p_dtls_session->conf,
MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_handshake_timeout(&p_dtls_session->conf,
(MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN * 2),
(MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN * 2 * 4));
}
#endif
result = _DTLSContext_setup(p_dtls_session, p_options);
if (DTLS_SUCCESS != result) {
DTLS_ERR("DTLSVerifyOptions_set result 0x%04x\r\n", result);
goto error;
}
return (DTLSContext *)p_dtls_session;
}
error:
if (NULL != p_dtls_session) {
_DTLSSession_deinit(p_dtls_session);
}
return NULL;
}
void dtls_server(void)
{
int len, ret = 0;
struct udp_context ctx;
struct dtls_timing_context timer;
struct zoap_packet zpkt;
struct net_pkt *pkt;
struct net_buf *frag;
mbedtls_ssl_cookie_ctx cookie_ctx;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_platform_set_printf(printk);
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_THRESHOLD);
#endif
/*
* Initialize and setup
*/
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_entropy_init(&entropy);
mbedtls_entropy_add_source(&entropy, entropy_source, NULL,
MBEDTLS_ENTROPY_MAX_GATHER,
MBEDTLS_ENTROPY_SOURCE_STRONG);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *)pers, strlen(pers));
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ctr_drbg_seed returned -0x%x\n", -ret);
goto exit;
}
ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_config_defaults returned -0x%x\n",
-ret);
goto exit;
}
/* Modify this to change the default timeouts for the DTLS handshake */
/* mbedtls_ssl_conf_handshake_timeout( &conf, min, max ); */
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, NULL);
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init(heap, sizeof(heap));
#endif
ret = mbedtls_ssl_cookie_setup(&cookie_ctx, mbedtls_ctr_drbg_random,
&ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_cookie_setup returned -0x%x\n",
-ret);
goto exit;
}
mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write,
mbedtls_ssl_cookie_check, &cookie_ctx);
ret = mbedtls_ssl_setup(&ssl, &conf);
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_setup returned -0x%x\n", -ret);
goto exit;
}
ret = udp_init(&ctx);
if (ret != 0) {
mbedtls_printf(" failed!\n udp_init returned 0x%x\n", ret);
goto exit;
}
reset:
mbedtls_ssl_session_reset(&ssl);
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
ret =
mbedtls_ssl_conf_psk(&conf, psk, strlen(psk), psk_id,
strlen(psk_id));
if (ret != 0) {
mbedtls_printf(" failed!\n mbedtls_ssl_conf_psk"
" returned -0x%04X\n", -ret);
goto exit;
}
#endif
mbedtls_ssl_set_timer_cb(&ssl, &timer, dtls_timing_set_delay,
dtls_timing_get_delay);
mbedtls_ssl_set_bio(&ssl, &ctx, udp_tx, udp_rx, NULL);
/* For HelloVerifyRequest cookies */
ctx.client_id = (char)ctx.remaining;
ret = mbedtls_ssl_set_client_transport_id(&ssl, &ctx.client_id,
sizeof(char));
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_set_client_transport_id()"
" returned -0x%x\n", -ret);
goto exit;
}
curr_ctx = &ssl;
do {
ret = mbedtls_ssl_handshake(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
ret = 0;
goto reset;
}
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_handshake returned -0x%x\n",
-ret);
goto reset;
}
do {
/* Read the request */
pkt = net_pkt_get_reserve(&zoap_pkt_slab, 0, K_NO_WAIT);
if (!pkt) {
mbedtls_printf("Could not get packet from slab\n");
goto exit;
}
frag = net_buf_alloc(&zoap_data_pool, K_NO_WAIT);
if (!frag) {
mbedtls_printf("Could not get frag from pool\n");
goto exit;
}
net_pkt_frag_add(pkt, frag);
len = ZOAP_BUF_SIZE - 1;
memset(frag->data, 0, ZOAP_BUF_SIZE);
ret = mbedtls_ssl_read(&ssl, frag->data, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret <= 0) {
net_pkt_unref(pkt);
switch (ret) {
case MBEDTLS_ERR_SSL_TIMEOUT:
mbedtls_printf(" timeout\n");
goto reset;
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf(" connection was closed"
" gracefully\n");
goto close_notify;
default:
mbedtls_printf(" mbedtls_ssl_read"
" returned -0x%x\n", -ret);
goto reset;
}
}
len = ret;
frag->len = len;
ret = zoap_packet_parse(&zpkt, pkt);
if (ret) {
mbedtls_printf("Could not parse packet\n");
goto exit;
}
ret = zoap_handle_request(&zpkt, resources,
(const struct sockaddr *)&ssl);
if (ret < 0) {
mbedtls_printf("No handler for such request (%d)\n",
ret);
}
net_pkt_unref(pkt);
} while (1);
close_notify:
/* No error checking, the connection might be closed already */
do {
ret = mbedtls_ssl_close_notify(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
ret = 0;
mbedtls_printf(" done\n");
goto reset;
exit:
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
}
otError Dtls::Setup(bool aClient)
{
int rval;
// do not handle new connection before guard time expired
VerifyOrExit(mState == kStateOpen, rval = MBEDTLS_ERR_SSL_TIMEOUT);
mState = kStateInitializing;
mbedtls_ssl_init(&mSsl);
mbedtls_ssl_config_init(&mConf);
mbedtls_ctr_drbg_init(&mCtrDrbg);
mbedtls_entropy_init(&mEntropy);
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
#ifdef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
mbedtls_x509_crt_init(&mCaChain);
mbedtls_x509_crt_init(&mOwnCert);
mbedtls_pk_init(&mPrivateKey);
#endif // MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
rval = mbedtls_entropy_add_source(&mEntropy, &Dtls::HandleMbedtlsEntropyPoll, NULL, MBEDTLS_ENTROPY_MIN_PLATFORM,
MBEDTLS_ENTROPY_SOURCE_STRONG);
VerifyOrExit(rval == 0);
{
otExtAddress eui64;
otPlatRadioGetIeeeEui64(&GetInstance(), eui64.m8);
rval = mbedtls_ctr_drbg_seed(&mCtrDrbg, mbedtls_entropy_func, &mEntropy, eui64.m8, sizeof(eui64));
VerifyOrExit(rval == 0);
}
rval = mbedtls_ssl_config_defaults(&mConf, aClient ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT);
VerifyOrExit(rval == 0);
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
if (mVerifyPeerCertificate && mCipherSuites[0] == MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8)
{
mbedtls_ssl_conf_authmode(&mConf, MBEDTLS_SSL_VERIFY_REQUIRED);
}
else
{
mbedtls_ssl_conf_authmode(&mConf, MBEDTLS_SSL_VERIFY_NONE);
}
#else
OT_UNUSED_VARIABLE(mVerifyPeerCertificate);
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
mbedtls_ssl_conf_rng(&mConf, mbedtls_ctr_drbg_random, &mCtrDrbg);
mbedtls_ssl_conf_min_version(&mConf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_max_version(&mConf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_ciphersuites(&mConf, mCipherSuites);
mbedtls_ssl_conf_export_keys_cb(&mConf, HandleMbedtlsExportKeys, this);
mbedtls_ssl_conf_handshake_timeout(&mConf, 8000, 60000);
mbedtls_ssl_conf_dbg(&mConf, HandleMbedtlsDebug, this);
#if OPENTHREAD_ENABLE_BORDER_AGENT || OPENTHREAD_ENABLE_COMMISSIONER || OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
if (!aClient)
{
mbedtls_ssl_cookie_init(&mCookieCtx);
rval = mbedtls_ssl_cookie_setup(&mCookieCtx, mbedtls_ctr_drbg_random, &mCtrDrbg);
VerifyOrExit(rval == 0);
mbedtls_ssl_conf_dtls_cookies(&mConf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &mCookieCtx);
}
#endif // OPENTHREAD_ENABLE_BORDER_AGENT || OPENTHREAD_ENABLE_COMMISSIONER || OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
rval = mbedtls_ssl_setup(&mSsl, &mConf);
VerifyOrExit(rval == 0);
mbedtls_ssl_set_bio(&mSsl, this, &Dtls::HandleMbedtlsTransmit, HandleMbedtlsReceive, NULL);
mbedtls_ssl_set_timer_cb(&mSsl, this, &Dtls::HandleMbedtlsSetTimer, HandleMbedtlsGetTimer);
if (mCipherSuites[0] == MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8)
{
rval = mbedtls_ssl_set_hs_ecjpake_password(&mSsl, mPsk, mPskLength);
}
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
else
{
rval = SetApplicationCoapSecureKeys();
}
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
VerifyOrExit(rval == 0);
mReceiveMessage = NULL;
mMessageSubType = Message::kSubTypeNone;
mState = kStateConnecting;
if (mCipherSuites[0] == MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8)
{
otLogInfoMeshCoP("DTLS started");
}
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
else
{
otLogInfoCoap("Application Coap Secure DTLS started");
}
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
mState = kStateConnecting;
Process();
exit:
if ((mState == kStateInitializing) && (rval != 0))
{
mState = kStateOpen;
FreeMbedtls();
}
return MapError(rval);
}
static int global_init(const struct instance *gi, global_context *gc) {
int ret;
#ifdef __APPLE__ // MacOS/X requires an additional call
int one = 1;
#endif
const char *pers = "goldy";
memset(gc, 0, sizeof(*gc));
gc->options = gi;
mbedtls_ssl_config_init(&gc->conf);
mbedtls_ssl_cookie_init(&gc->cookie_ctx);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init(&gc->cache);
#endif
mbedtls_x509_crt_init(&gc->cacert);
mbedtls_entropy_init(&gc->entropy);
mbedtls_ctr_drbg_init(&gc->ctr_drbg);
log_info("Goldy %s starting up", GOLDY_VERSION);
mbedtls_net_init(&gc->listen_fd);
ret = bind_listen_fd(gc);
if (ret != 0) {
goto exit;
}
#ifdef __APPLE__ // MacOS/X requires an additional call
ret = setsockopt(gc->listen_fd.fd, SOL_SOCKET, SO_REUSEPORT, (char*)&one, sizeof(one));
if (ret != 0) {
goto exit;
}
#endif
ret = mbedtls_x509_crt_parse_file(&gc->cacert, gi->cert_file);
if (ret != 0) {
log_error("mbedtls_x509_crt_parse returned %d", ret);
goto exit;
}
log_debug("Loaded server cacert file");
if ((ret = mbedtls_ctr_drbg_seed(&gc->ctr_drbg, mbedtls_entropy_func,
&gc->entropy, (const unsigned char *)pers,
strlen(pers))) != 0) {
printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
log_debug("Seeded random number generator");
if ((ret = mbedtls_ssl_config_defaults(&gc->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
log_error("mbedtls_ssl_config_defaults returned %d", ret);
goto exit;
}
mbedtls_ssl_conf_dbg(&gc->conf, log_mbedtls_debug_callback, NULL);
mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LOGGING_LEVEL);
mbedtls_ssl_conf_rng(&gc->conf, mbedtls_ctr_drbg_random, &gc->ctr_drbg);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(&gc->conf, &gc->cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set);
#endif
/* Now we can support verify server client, however for performance,
* just change to none because openvpn will do the auth again
*/
mbedtls_ssl_conf_authmode(&gc->conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_ca_chain(&gc->conf, &gc->cacert, NULL);
mbedtls_ssl_conf_verify(&gc->conf, server_cert_verify, NULL);
if ((ret = mbedtls_ssl_cookie_setup(&gc->cookie_ctx,
mbedtls_ctr_drbg_random,
&gc->ctr_drbg)) != 0) {
log_error("mbedtls_ssl_cookie_setup returned %d", ret);
goto exit;
}
mbedtls_ssl_conf_dtls_cookies(&gc->conf, mbedtls_ssl_cookie_write,
mbedtls_ssl_cookie_check, &gc->cookie_ctx);
log_info("Proxy is ready, listening for connections on UDP %s:%s",
gi->listen_host, gi->listen_port);
exit:
check_return_code(ret, "global_init - exit");
if (ret != 0) {
global_deinit(gc);
}
return ret == 0 ? 0 : 1;
}
