ProtocolError DTLSMessageChannel::setup_context()
{
int ret;
mbedtls_ssl_free(&ssl_context);
ret = mbedtls_ssl_setup(&ssl_context, &conf);
EXIT_ERROR(ret, "unable to setup SSL context");
mbedtls_ssl_set_timer_cb(&ssl_context, &timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay);
mbedtls_ssl_set_bio(&ssl_context, this, &DTLSMessageChannel::send_, &DTLSMessageChannel::recv_, NULL);
if ((ssl_context.session_negotiate->peer_cert = (mbedtls_x509_crt*)calloc(1, sizeof(mbedtls_x509_crt))) == NULL)
{
ERROR("unable to allocate certificate storage");
return INSUFFICIENT_STORAGE;
}
mbedtls_x509_crt_init(ssl_context.session_negotiate->peer_cert);
ret = mbedtls_pk_parse_public_key(&ssl_context.session_negotiate->peer_cert->pk, server_public, server_public_len);
if (ret) {
WARN("unable to parse negotiated public key: -%x", -ret);
return IO_ERROR;
}
return NO_ERROR;
}
int SSLContext::setTimer(State & state, SSLContextData * ssl_context_data) {
Stack * stack = state.stack;
TimingDelayContext * interfaceTimer = OBJECT_IFACE(TimingDelayContext);
mbedtls_timing_delay_context * timer = interfaceTimer->get(1);
if (timer) {
mbedtls_ssl_set_timer_cb(ssl_context_data->context, timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay);
}
return 0;
}
static int session_init(const global_context *gc,
session_context *sc,
const mbedtls_net_context *client_fd,
unsigned char client_ip[16], size_t cliip_len,
const unsigned char* first_packet, size_t first_packet_len) {
int ret;
memset(sc, 0, sizeof(*sc));
memcpy(&sc->client_fd, client_fd, sizeof(sc->client_fd));
if (cliip_len > sizeof(sc->client_ip)) {
log_error("session_init - client_ip size mismatch");
return 1;
}
memcpy(&sc->client_ip, client_ip, cliip_len);
sc->cliip_len = cliip_len;
mbedtls_ssl_init(&sc->ssl);
mbedtls_net_init(&sc->backend_fd);
sc->step = GOLDY_SESSION_STEP_HANDSHAKE;
sc->options = gc->options;
if ((ret = mbedtls_ssl_setup(&sc->ssl, &gc->conf)) != 0) {
check_return_code(ret, "session_init - mbedtls_ssl_steup");
return 1;
}
//mbedtls_ssl_set_hostname(&sc->ssl, "localhost");
mbedtls_ssl_set_timer_cb(&sc->ssl, &sc->timer,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
/* We already read the first packet of the SSL session from the network in
* the initial recvfrom() call on the listening fd. Here we copy the content
* of that packet into the SSL incoming data buffer so it'll be consumed on
* the next call to mbedtls_ssl_fetch_input(). */
if (first_packet_len<MBEDTLS_SSL_BUFFER_LEN) {
memcpy(sc->ssl.in_hdr, first_packet, first_packet_len);
sc->ssl.in_left = first_packet_len;
}
return 0;
}
static unsigned int _DTLSContext_setup(dtls_session_t *p_dtls_session, coap_dtls_options_t *p_options)
{
int result = 0;
mbedtls_ssl_init(&p_dtls_session->context);
result = mbedtls_ssl_setup(&p_dtls_session->context, &p_dtls_session->conf);
DTLS_TRC("mbedtls_ssl_setup result 0x%04x\r\n", result);
if (result == 0) {
if (p_dtls_session->conf.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
mbedtls_ssl_set_timer_cb(&p_dtls_session->context,
(void *)&p_dtls_session->timer,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
}
#ifdef MBEDTLS_X509_CRT_PARSE_C
DTLS_TRC("mbedtls_ssl_set_hostname %s\r\n", p_options->p_host);
mbedtls_ssl_set_hostname(&p_dtls_session->context, p_options->p_host);
#endif
mbedtls_ssl_set_bio(&p_dtls_session->context,
(void *)&p_dtls_session->fd,
mbedtls_net_send,
mbedtls_net_recv,
mbedtls_net_recv_timeout);
DTLS_TRC("mbedtls_ssl_set_bio result 0x%04x\r\n", result);
do {
result = mbedtls_ssl_handshake(&p_dtls_session->context);
} while (result == MBEDTLS_ERR_SSL_WANT_READ ||
result == MBEDTLS_ERR_SSL_WANT_WRITE);
DTLS_TRC("mbedtls_ssl_handshake result 0x%04x\r\n", result);
}
return (result ? DTLS_HANDSHAKE_FAILED : DTLS_SUCCESS);
}
int main( void )
{
int ret, len;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[1024];
const char *pers = "dtls_server";
unsigned char client_ip[16] = { 0 };
size_t cliip_len;
mbedtls_ssl_cookie_ctx cookie_ctx;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
mbedtls_timing_delay_context timer;
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache;
#endif
mbedtls_net_init( &listen_fd );
mbedtls_net_init( &client_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ssl_cookie_init( &cookie_ctx );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init( &cache );
#endif
mbedtls_x509_crt_init( &srvcert );
mbedtls_pk_init( &pkey );
mbedtls_entropy_init( &entropy );
mbedtls_ctr_drbg_init( &ctr_drbg );
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( DEBUG_LEVEL );
#endif
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use mbedtls_x509_crt_parse_file() to read the
* server and CA certificates, as well as mbedtls_pk_parse_keyfile().
*/
ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the "listening" UDP socket
*/
printf( " . Bind on udp/*/4433 ..." );
fflush( stdout );
if( ( ret = mbedtls_net_bind( &listen_fd, NULL, "4433", MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
printf( " failed\n ! mbedtls_net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Seed the RNG
*/
printf( " . Seeding the random number generator..." );
fflush( stdout );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the DTLS data..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache( &conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set );
#endif
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_cookie_setup( &cookie_ctx,
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_cookie_setup returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
&cookie_ctx );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
printf( " ok\n" );
reset:
#ifdef MBEDTLS_ERROR_C
if( ret != 0 )
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
mbedtls_net_free( &client_fd );
mbedtls_ssl_session_reset( &ssl );
/*
* 3. Wait until a client connects
*/
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = mbedtls_net_accept( &listen_fd, &client_fd,
client_ip, sizeof( client_ip ), &cliip_len ) ) != 0 )
{
printf( " failed\n ! mbedtls_net_accept returned %d\n\n", ret );
goto exit;
}
/* For HelloVerifyRequest cookies */
if( ( ret = mbedtls_ssl_set_client_transport_id( &ssl,
client_ip, cliip_len ) ) != 0 )
{
printf( " failed\n ! "
"mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n", -ret );
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &client_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout );
printf( " ok\n" );
/*
* 5. Handshake
*/
printf( " . Performing the DTLS handshake..." );
fflush( stdout );
do ret = mbedtls_ssl_handshake( &ssl );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
{
printf( " hello verification requested\n" );
ret = 0;
goto reset;
}
else if( ret != 0 )
{
printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
goto reset;
}
printf( " ok\n" );
/*
* 6. Read the echo Request
*/
printf( " < Read from client:" );
fflush( stdout );
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret <= 0 )
{
switch( ret )
{
case MBEDTLS_ERR_SSL_TIMEOUT:
printf( " timeout\n\n" );
goto reset;
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
ret = 0;
goto close_notify;
default:
printf( " mbedtls_ssl_read returned -0x%x\n\n", -ret );
goto reset;
}
}
len = ret;
printf( " %d bytes read\n\n%s\n\n", len, buf );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
do ret = mbedtls_ssl_write( &ssl, buf, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret < 0 )
{
printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto exit;
}
len = ret;
printf( " %d bytes written\n\n%s\n\n", len, buf );
/*
* 8. Done, cleanly close the connection
*/
close_notify:
printf( " . Closing the connection..." );
/* No error checking, the connection might be closed already */
do ret = mbedtls_ssl_close_notify( &ssl );
while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
ret = 0;
printf( " done\n" );
goto reset;
/*
* Final clean-ups and exit
*/
exit:
#ifdef MBEDTLS_ERROR_C
if( ret != 0 )
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
printf( "Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
mbedtls_net_free( &client_fd );
mbedtls_net_free( &listen_fd );
mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ssl_cookie_free( &cookie_ctx );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free( &cache );
#endif
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
/* Shell can not handle large exit numbers -> 1 for errors */
if( ret < 0 )
ret = 1;
return( ret );
}
int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_server, SecureSocketMode sock_mode, coap_security_keys_t keys, uint32_t timeout_min, uint32_t timeout_max)
{
if( !sec ){
return -1;
}
sec->_is_blocking = false;
int endpoint = MBEDTLS_SSL_IS_CLIENT;
if( is_server ){
endpoint = MBEDTLS_SSL_IS_SERVER;
}
int mode = MBEDTLS_SSL_TRANSPORT_DATAGRAM;
if( sock_mode == TLS ){
mode = MBEDTLS_SSL_TRANSPORT_STREAM;
}
if( ( mbedtls_ssl_config_defaults( &sec->_conf,
endpoint,
mode, 0 ) ) != 0 )
{
return -1;
}
if(!timeout_max && !timeout_min){
mbedtls_ssl_conf_handshake_timeout( &sec->_conf, DTLS_HANDSHAKE_TIMEOUT_MIN, DTLS_HANDSHAKE_TIMEOUT_MAX );
}
else{
mbedtls_ssl_conf_handshake_timeout( &sec->_conf, timeout_min, timeout_max );
}
mbedtls_ssl_conf_rng( &sec->_conf, mbedtls_ctr_drbg_random, &sec->_ctr_drbg );
if( ( mbedtls_ssl_setup( &sec->_ssl, &sec->_conf ) ) != 0 )
{
return -1;
}
mbedtls_ssl_set_bio( &sec->_ssl, sec,
f_send, f_recv, NULL );
mbedtls_ssl_set_timer_cb( &sec->_ssl, sec, set_timer,
get_timer );
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
//TODO: Figure out better way!!!
//Password should never be stored in multiple places!!!
if( is_server && keys._priv_len > 0){
memcpy(sec->_pw, keys._priv, keys._priv_len);
sec->_pw_len = keys._priv_len;
}
#endif
if( coap_security_handler_configure_keys( sec, keys ) != 0 ){
return -1;
}
#ifdef MBEDTLS_SSL_SRV_C
mbedtls_ssl_conf_dtls_cookies(&sec->_conf, simple_cookie_write,
simple_cookie_check,
&sec->_cookie);
#endif
mbedtls_ssl_conf_min_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
mbedtls_ssl_conf_max_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
sec->_is_started = true;
int ret = mbedtls_ssl_handshake_step( &sec->_ssl );
if( ret == 0 ){
ret = mbedtls_ssl_handshake_step( &sec->_ssl );
if( is_server && 0 == ret){
ret = coap_security_handler_continue_connecting( sec );
}
}
if( ret >= 0){
ret = 1;
}else{
ret = -1;
}
return ret;
}
int coap_security_handler_connect(coap_security_t *sec, bool is_server, SecureSocketMode sock_mode, coap_security_keys_t keys){
int ret = -1;
if( !sec ){
return ret;
}
sec->_is_blocking = true;
int endpoint = MBEDTLS_SSL_IS_CLIENT;
if( is_server ){
endpoint = MBEDTLS_SSL_IS_SERVER;
}
int mode = MBEDTLS_SSL_TRANSPORT_DATAGRAM;
if( sock_mode == TLS ){
mode = MBEDTLS_SSL_TRANSPORT_STREAM;
}
if( ( mbedtls_ssl_config_defaults( &sec->_conf,
endpoint,
mode, 0 ) ) != 0 )
{
return -1;
}
mbedtls_ssl_set_bio( &sec->_ssl, sec,
f_send, f_recv, NULL );
mbedtls_ssl_set_timer_cb( &sec->_ssl, sec, set_timer,
get_timer );
if( coap_security_handler_configure_keys( sec, keys ) != 0 ){
return -1;
}
#ifdef MBEDTLS_SSL_SRV_C
mbedtls_ssl_conf_dtls_cookies(&sec->_conf, simple_cookie_write,
simple_cookie_check,
&sec->_cookie);
#endif
sec->_is_started = true;
do {
ret = mbedtls_ssl_handshake_step( &sec->_ssl );
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ){ //cookie check failed
if( is_server ){
mbedtls_ssl_session_reset(&sec->_ssl);
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( mbedtls_ssl_set_hs_ecjpake_password(&sec->_ssl, keys._priv, keys._priv_len) != 0 ){
return -1;
}
#endif
ret = MBEDTLS_ERR_SSL_WANT_READ; //needed to keep doing
}else{
ret = -1;
}
}
}while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret != 0){
ret = -1;
}else{
if( mbedtls_ssl_get_verify_result( &sec->_ssl ) != 0 )
{
ret = -1;
}
}
return ret;
}
int dtlsclient_main( int argc, char *argv[] )
{
int ret, len;
mbedtls_net_context server_fd;
uint32_t flags;
unsigned char buf[1024];
const char *pers = "dtls_client";
int retry_left = MAX_RETRY;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_timing_delay_context timer;
((void) argc);
((void) argv);
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( DEBUG_LEVEL );
#endif
/*
* 0. Initialize the RNG and the session data
*/
mbedtls_net_init( &server_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &cacert );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_printf( "\n . Seeding the random number generator..." );
fflush( stdout );
mbedtls_entropy_init( &entropy );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 0. Load certificates
*/
mbedtls_printf( " . Loading the CA root certificate ..." );
fflush( stdout );
ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len );
if( ret < 0 )
{
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
mbedtls_printf( " ok (%d skipped)\n", ret );
/*
* 1. Start the connection
*/
mbedtls_printf( " . Connecting to udp/%s/%s...", SERVER_NAME, SERVER_PORT );
fflush( stdout );
if( ( ret = mbedtls_net_connect( &server_fd, SERVER_ADDR,
SERVER_PORT, MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_net_connect returned %d\n\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 2. Setup stuff
*/
mbedtls_printf( " . Setting up the DTLS structure..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
/* OPTIONAL is usually a bad choice for security, but makes interop easier
* in this simplified example, in which the ca chain is hardcoded.
* Production code should set a proper ca chain and use REQUIRED. */
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &server_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout );
mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
mbedtls_printf( " ok\n" );
/*
* 4. Handshake
*/
mbedtls_printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
do ret = mbedtls_ssl_handshake( &ssl );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 5. Verify the server certificate
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
* handshake would not succeed if the peer's cert is bad. Even if we used
* MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );
/*
* 6. Write the echo request
*/
send_request:
mbedtls_printf( " > Write to server:" );
fflush( stdout );
len = sizeof( MESSAGE ) - 1;
do ret = mbedtls_ssl_write( &ssl, (unsigned char *) MESSAGE, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret < 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto exit;
}
len = ret;
mbedtls_printf( " %d bytes written\n\n%s\n\n", len, MESSAGE );
/*
* 7. Read the echo response
*/
mbedtls_printf( " < Read from server:" );
fflush( stdout );
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret <= 0 )
{
switch( ret )
{
case MBEDTLS_ERR_SSL_TIMEOUT:
mbedtls_printf( " timeout\n\n" );
if( retry_left-- > 0 )
goto send_request;
goto exit;
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf( " connection was closed gracefully\n" );
ret = 0;
goto close_notify;
default:
mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n\n", -ret );
goto exit;
}
}
len = ret;
mbedtls_printf( " %d bytes read\n\n%s\n\n", len, buf );
/*
* 8. Done, cleanly close the connection
*/
close_notify:
mbedtls_printf( " . Closing the connection..." );
/* No error checking, the connection might be closed already */
do ret = mbedtls_ssl_close_notify( &ssl );
while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
ret = 0;
mbedtls_printf( " done\n" );
/*
* 9. Final clean-ups and exit
*/
exit:
#ifdef MBEDTLS_ERROR_C
if( ret != 0 )
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
mbedtls_printf( "Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
mbedtls_net_free( &server_fd );
mbedtls_x509_crt_free( &cacert );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
#if defined(_WIN32)
mbedtls_printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
/* Shell can not handle large exit numbers -> 1 for errors */
if( ret < 0 )
ret = 1;
return( ret );
}
otError Dtls::Setup(bool aClient)
{
int rval;
// do not handle new connection before guard time expired
VerifyOrExit(mState == kStateOpen, rval = MBEDTLS_ERR_SSL_TIMEOUT);
mState = kStateInitializing;
mbedtls_ssl_init(&mSsl);
mbedtls_ssl_config_init(&mConf);
mbedtls_ctr_drbg_init(&mCtrDrbg);
mbedtls_entropy_init(&mEntropy);
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
#ifdef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
mbedtls_x509_crt_init(&mCaChain);
mbedtls_x509_crt_init(&mOwnCert);
mbedtls_pk_init(&mPrivateKey);
#endif // MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
rval = mbedtls_entropy_add_source(&mEntropy, &Dtls::HandleMbedtlsEntropyPoll, NULL, MBEDTLS_ENTROPY_MIN_PLATFORM,
MBEDTLS_ENTROPY_SOURCE_STRONG);
VerifyOrExit(rval == 0);
{
otExtAddress eui64;
otPlatRadioGetIeeeEui64(&GetInstance(), eui64.m8);
rval = mbedtls_ctr_drbg_seed(&mCtrDrbg, mbedtls_entropy_func, &mEntropy, eui64.m8, sizeof(eui64));
VerifyOrExit(rval == 0);
}
rval = mbedtls_ssl_config_defaults(&mConf, aClient ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT);
VerifyOrExit(rval == 0);
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
if (mVerifyPeerCertificate && mCipherSuites[0] == MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8)
{
mbedtls_ssl_conf_authmode(&mConf, MBEDTLS_SSL_VERIFY_REQUIRED);
}
else
{
mbedtls_ssl_conf_authmode(&mConf, MBEDTLS_SSL_VERIFY_NONE);
}
#else
OT_UNUSED_VARIABLE(mVerifyPeerCertificate);
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
mbedtls_ssl_conf_rng(&mConf, mbedtls_ctr_drbg_random, &mCtrDrbg);
mbedtls_ssl_conf_min_version(&mConf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_max_version(&mConf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_ciphersuites(&mConf, mCipherSuites);
mbedtls_ssl_conf_export_keys_cb(&mConf, HandleMbedtlsExportKeys, this);
mbedtls_ssl_conf_handshake_timeout(&mConf, 8000, 60000);
mbedtls_ssl_conf_dbg(&mConf, HandleMbedtlsDebug, this);
#if OPENTHREAD_ENABLE_BORDER_AGENT || OPENTHREAD_ENABLE_COMMISSIONER || OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
if (!aClient)
{
mbedtls_ssl_cookie_init(&mCookieCtx);
rval = mbedtls_ssl_cookie_setup(&mCookieCtx, mbedtls_ctr_drbg_random, &mCtrDrbg);
VerifyOrExit(rval == 0);
mbedtls_ssl_conf_dtls_cookies(&mConf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &mCookieCtx);
}
#endif // OPENTHREAD_ENABLE_BORDER_AGENT || OPENTHREAD_ENABLE_COMMISSIONER || OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
rval = mbedtls_ssl_setup(&mSsl, &mConf);
VerifyOrExit(rval == 0);
mbedtls_ssl_set_bio(&mSsl, this, &Dtls::HandleMbedtlsTransmit, HandleMbedtlsReceive, NULL);
mbedtls_ssl_set_timer_cb(&mSsl, this, &Dtls::HandleMbedtlsSetTimer, HandleMbedtlsGetTimer);
if (mCipherSuites[0] == MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8)
{
rval = mbedtls_ssl_set_hs_ecjpake_password(&mSsl, mPsk, mPskLength);
}
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
else
{
rval = SetApplicationCoapSecureKeys();
}
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
VerifyOrExit(rval == 0);
mReceiveMessage = NULL;
mMessageSubType = Message::kSubTypeNone;
mState = kStateConnecting;
if (mCipherSuites[0] == MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8)
{
otLogInfoMeshCoP("DTLS started");
}
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
else
{
otLogInfoCoap("Application Coap Secure DTLS started");
}
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
mState = kStateConnecting;
Process();
exit:
if ((mState == kStateInitializing) && (rval != 0))
{
mState = kStateOpen;
FreeMbedtls();
}
return MapError(rval);
}
void dtls_client(void)
{
int ret = exit_ok;
struct udp_context ctx;
struct dtls_timing_context timer;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_platform_set_printf(printf);
/*
* 0. Initialize and setup stuff
*/
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_printf("\n . Seeding the random number generator...");
mbedtls_entropy_init(&entropy);
mbedtls_entropy_add_source(&entropy, entropy_source, NULL,
MBEDTLS_ENTROPY_MAX_GATHER,
MBEDTLS_ENTROPY_SOURCE_STRONG);
if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *)pers,
strlen(pers)) != 0) {
ret = ctr_drbg_seed_failed;
mbedtls_printf
(" failed\n ! mbedtls_ctr_drbg_seed returned 0x%x\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" . Setting up the DTLS structure...");
ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (ret != 0) {
ret = ssl_config_defaults_failed;
mbedtls_printf(" failed! returned 0x%x\n\n", ret);
goto exit;
}
/* Modify this to change the default timeouts for the DTSL handshake */
/* mbedtls_ssl_conf_handshake_timeout( &conf, min, max ); */
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_THRESHOLD);
#endif
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, NULL);
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init(heap, sizeof(heap));
#endif
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
ret = ssl_setup_failed;
mbedtls_printf
(" failed\n ! mbedtls_ssl_setup returned 0x%x\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1. Start the connection
*/
mbedtls_printf(" . Connecting to udp %d.%d.%d.%d:%d...",
SERVER_IPADDR0, SERVER_IPADDR1, SERVER_IPADDR2,
SERVER_IPADDR3, SERVER_PORT);
if (udp_init(&ctx) != 0) {
ret = connect_failed;
mbedtls_printf(" failed\n ! udp_init returned 0x%x\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_printf(" . Setting up ecjpake password ...");
if (mbedtls_ssl_set_hs_ecjpake_password
(&ssl, ecjpake_pw, ECJPAKE_PW_SIZE) != 0) {
mbedtls_printf(" failed! set ecjpake password returned %d\n\n",
ssl_setup_failed);
goto exit;
}
#endif
mbedtls_printf(" ok\n");
mbedtls_ssl_set_timer_cb(&ssl, &timer, dtls_timing_set_delay,
dtls_timing_get_delay);
mbedtls_ssl_set_bio(&ssl, &ctx, udp_tx, udp_rx, NULL);
mbedtls_printf(" . Performing the SSL/TLS handshake...");
ret = mbedtls_ssl_handshake(&ssl);
if (ret != 0) {
ret = ssl_handshake_failed;
mbedtls_printf
(" failed\n ! mbedtls_ssl_handshake returned 0x%x\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 2. Write the GET request and close the connection
*/
mbedtls_printf(" > Write to server:");
if (mbedtls_ssl_write(&ssl, (const unsigned char *)GET_REQUEST,
sizeof(GET_REQUEST) - 1) <= 0) {
ret = ssl_write_failed;
mbedtls_printf
(" failed\n ! mbedtls_ssl_write returned 0x%x\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" . Closing the connection...");
mbedtls_ssl_close_notify(&ssl);
mbedtls_printf(" done\n");
exit:
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
}
int main(int argc, char *argv[]) {
int ret, exitcode;
mbedtls_net_context server_fd;
uint32_t flags;
char scenario[10000] = "";
char server_host[100] = "";
char server_port[6] = "";
char server_ssl_hostname[100] = "";
const char *pers = "dtls_client";
int opt;
struct timeval t0, t1;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_timing_delay_context timer;
/* Parse command line */
while ((opt = getopt(argc, argv, "h:n:p:s:")) != -1) {
switch (opt) {
case 'h':
strncpy(server_host, optarg, sizeof(server_host));
break;
case 'n':
strncpy(server_ssl_hostname, optarg, sizeof(server_ssl_hostname));
break;
case 'p':
strncpy(server_port, optarg, sizeof(server_port));
break;
case 's':
strncpy(scenario, optarg, sizeof(scenario));
break;
default: /* '?' */
print_usage(argv[0]);
}
}
if (!(scenario[0] && server_port[0] && server_host[0])) {
print_usage(argv[0]);
}
if (!server_ssl_hostname[0]) {
strncpy(server_ssl_hostname, server_host, sizeof(server_ssl_hostname));
}
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
/*
* 0. Initialize the RNG and the session data
*/
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
mbedtls_ctr_drbg_init(&ctr_drbg);
plog("Seeding the random number generator...");
mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *)pers, strlen(pers))) != 0) {
plog("ERROR: failed! mbedtls_ctr_drbg_seed returned %d", ret);
goto exit;
}
/*
* 0. Load certificates
*/
plog("Loading the CA root certificate ...");
ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *)mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
if (ret < 0) {
plog("ERROR: failed! mbedtls_x509_crt_parse returned -0x%x", -ret);
goto exit;
}
plog("Connecting to udp %s:%s (SSL hostname: %s)...",
server_host, server_port, server_ssl_hostname);
if ((ret = mbedtls_net_connect(&server_fd, server_host, server_port, MBEDTLS_NET_PROTO_UDP)) != 0) {
plog("ERROR: failed! mbedtls_net_connect returned %d", ret);
goto exit;
}
plog("The local client UDP source port is %d", get_source_port(server_fd.fd));
plog("Setting up the DTLS structure...");
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
plog("ERROR: failed! mbedtls_ssl_config_defaults returned %d", ret);
goto exit;
}
/* OPTIONAL is usually a bad choice for security, but makes interop easier
* in this simplified example, in which the ca chain is hardcoded.
* Production code should set a proper ca chain and use REQUIRED. */
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, log_mbedtls_debug_callback, NULL);
/* TODO timeouts */
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
plog("ERROR: failed! mbedtls_ssl_setup returned %d", ret);
goto exit;
}
if ((ret = mbedtls_ssl_set_hostname(&ssl, server_ssl_hostname)) != 0) {
plog("ERROR: failed! mbedtls_ssl_set_hostname returned %d", ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &server_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout);
mbedtls_ssl_set_timer_cb(&ssl, &timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay);
plog("Performing the SSL/TLS handshake...");
gettimeofday(&t0, NULL);
do {
ret = mbedtls_ssl_handshake(&ssl);
plog(" ... during SSL handshake, ret=%d (WANT_READ=%d, WANT_WRITE=%d, RECV_FAILED=%d",
ret, MBEDTLS_ERR_SSL_WANT_READ, MBEDTLS_ERR_SSL_WANT_WRITE, MBEDTLS_ERR_NET_RECV_FAILED);
gettimeofday(&t1, NULL);
} while ((duration_ms(&t1, &t0) <= SSL_HANDSHAKE_TIMEOUT_MILLISECS) &&
(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE));
plog("handshake duration: %d milliseconds", duration_ms(&t1, &t0));
if (duration_ms(&t1, &t0) > SSL_HANDSHAKE_TIMEOUT_MILLISECS) {
plog("ERROR: long time to perform handshake: %d milliseconds", duration_ms(&t1, &t0));
ret = MBEDTLS_ERR_SSL_TIMEOUT;
goto exit;
}
if (ret != 0) {
plog("ERROR: failed! mbedtls_ssl_handshake returned -0x%x", -ret);
goto exit;
}
plog("Verifying peer X.509 certificate...");
/* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
* handshake would not succeed if the peer's cert is bad. Even if we used
* MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) {
char vrfy_buf[512];
mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "! ", flags);
plog("Verification failed: %s", vrfy_buf);
} else {
plog("Certificates ok");
}
ret = run_scenario(scenario, &ssl);
if (ret != 0) {
goto exit;
}
plog("Closing the connection...");
/* No error checking, the connection might be closed already */
do {
ret = mbedtls_ssl_close_notify(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
ret = 0;
exit:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
plog("ERROR: Last error was: %d - %s", ret, error_buf);
}
#endif
mbedtls_net_free(&server_fd);
mbedtls_x509_crt_free(&cacert);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
exitcode = ret == 0 ? 0 : 1;
plog("Done, exitcode=%d", exitcode);
return exitcode;
}
void dtls_server(void)
{
int len, ret = 0;
struct udp_context ctx;
struct dtls_timing_context timer;
struct zoap_packet zpkt;
struct net_pkt *pkt;
struct net_buf *frag;
mbedtls_ssl_cookie_ctx cookie_ctx;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_platform_set_printf(printk);
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_THRESHOLD);
#endif
/*
* Initialize and setup
*/
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_entropy_init(&entropy);
mbedtls_entropy_add_source(&entropy, entropy_source, NULL,
MBEDTLS_ENTROPY_MAX_GATHER,
MBEDTLS_ENTROPY_SOURCE_STRONG);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *)pers, strlen(pers));
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ctr_drbg_seed returned -0x%x\n", -ret);
goto exit;
}
ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_config_defaults returned -0x%x\n",
-ret);
goto exit;
}
/* Modify this to change the default timeouts for the DTLS handshake */
/* mbedtls_ssl_conf_handshake_timeout( &conf, min, max ); */
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, NULL);
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init(heap, sizeof(heap));
#endif
ret = mbedtls_ssl_cookie_setup(&cookie_ctx, mbedtls_ctr_drbg_random,
&ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_cookie_setup returned -0x%x\n",
-ret);
goto exit;
}
mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write,
mbedtls_ssl_cookie_check, &cookie_ctx);
ret = mbedtls_ssl_setup(&ssl, &conf);
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_setup returned -0x%x\n", -ret);
goto exit;
}
ret = udp_init(&ctx);
if (ret != 0) {
mbedtls_printf(" failed!\n udp_init returned 0x%x\n", ret);
goto exit;
}
reset:
mbedtls_ssl_session_reset(&ssl);
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
ret =
mbedtls_ssl_conf_psk(&conf, psk, strlen(psk), psk_id,
strlen(psk_id));
if (ret != 0) {
mbedtls_printf(" failed!\n mbedtls_ssl_conf_psk"
" returned -0x%04X\n", -ret);
goto exit;
}
#endif
mbedtls_ssl_set_timer_cb(&ssl, &timer, dtls_timing_set_delay,
dtls_timing_get_delay);
mbedtls_ssl_set_bio(&ssl, &ctx, udp_tx, udp_rx, NULL);
/* For HelloVerifyRequest cookies */
ctx.client_id = (char)ctx.remaining;
ret = mbedtls_ssl_set_client_transport_id(&ssl, &ctx.client_id,
sizeof(char));
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_set_client_transport_id()"
" returned -0x%x\n", -ret);
goto exit;
}
curr_ctx = &ssl;
do {
ret = mbedtls_ssl_handshake(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
ret = 0;
goto reset;
}
if (ret != 0) {
mbedtls_printf(" failed!\n"
" mbedtls_ssl_handshake returned -0x%x\n",
-ret);
goto reset;
}
do {
/* Read the request */
pkt = net_pkt_get_reserve(&zoap_pkt_slab, 0, K_NO_WAIT);
if (!pkt) {
mbedtls_printf("Could not get packet from slab\n");
goto exit;
}
frag = net_buf_alloc(&zoap_data_pool, K_NO_WAIT);
if (!frag) {
mbedtls_printf("Could not get frag from pool\n");
goto exit;
}
net_pkt_frag_add(pkt, frag);
len = ZOAP_BUF_SIZE - 1;
memset(frag->data, 0, ZOAP_BUF_SIZE);
ret = mbedtls_ssl_read(&ssl, frag->data, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret <= 0) {
net_pkt_unref(pkt);
switch (ret) {
case MBEDTLS_ERR_SSL_TIMEOUT:
mbedtls_printf(" timeout\n");
goto reset;
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf(" connection was closed"
" gracefully\n");
goto close_notify;
default:
mbedtls_printf(" mbedtls_ssl_read"
" returned -0x%x\n", -ret);
goto reset;
}
}
len = ret;
frag->len = len;
ret = zoap_packet_parse(&zpkt, pkt);
if (ret) {
mbedtls_printf("Could not parse packet\n");
goto exit;
}
ret = zoap_handle_request(&zpkt, resources,
(const struct sockaddr *)&ssl);
if (ret < 0) {
mbedtls_printf("No handler for such request (%d)\n",
ret);
}
net_pkt_unref(pkt);
} while (1);
close_notify:
/* No error checking, the connection might be closed already */
do {
ret = mbedtls_ssl_close_notify(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
ret = 0;
mbedtls_printf(" done\n");
goto reset;
exit:
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
}
