diff --git a/main/https_mbedtls_example_main.c b/main/https_mbedtls_example_main.c index 0eaa0f1..6208ae2 100644 --- a/main/https_mbedtls_example_main.c +++ b/main/https_mbedtls_example_main.c @@ -27,213 +27,349 @@ #include "esp_crt_bundle.h" -/* Constants that aren't configurable in menuconfig */ -#define WEB_SERVER "ota.hendrikschutter.com" -#define WEB_PORT "443" -#define WEB_URL "https://ota.hendrikschutter.com/hello-world.bin" +/* Constants that aren't configurable in menuconfig, yet */ +#define HTTPS_CLIENT_COMMON_NAME "ota.hendrikschutter.com" +#define HTTPS_CLIENT_PORT "443" +#define HTTPS_CLIENT_URL "https://ota.hendrikschutter.com/hello-world.bin" +#define HTTPS_CLIENT_AUTH "b3RhOnB3" //base64("username:password") -static const char *TAG = "example"; +#define HTTPS_CLIENT_OK 0 +#define HTTPS_CLIENT_ERROR -1 +#define HTTPS_CLIENT_ERROR_INIT_EMBEDTLS -2 +#define HTTPS_CLIENT_ERROR_INIT_CONNECT_TWO_SERVER -3 +#define HTTPS_CLIENT_ERROR_INIT_VALIDATE_SERVER -4 +#define HTTPS_CLIENT_ERROR_INIT_SEND_REQUEST -5 -static const char *REQUEST = "GET " WEB_URL " HTTP/1.1\r\n" - "Host: "WEB_SERVER"\r\n" - "User-Agent: esp-idf/1.0 esp32\r\n" - "Authorization: Basic b3RhOnB3\r\n" //base64("username:password") - "\r\n"; - - -static void https_get_task(void *pvParameters) +struct HTTPS_Client { - char buf[512]; - int ret, flags, len; - mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; mbedtls_x509_crt cacert; mbedtls_ssl_config conf; mbedtls_net_context server_fd; +}; - mbedtls_ssl_init(&ssl); - mbedtls_x509_crt_init(&cacert); - mbedtls_ctr_drbg_init(&ctr_drbg); - ESP_LOGI(TAG, "Seeding the random number generator"); +typedef int32_t https_client_ret_t; +typedef struct HTTPS_Client HTTPS_Client_t; - mbedtls_ssl_config_init(&conf); +static const char *TAG = "https_client"; - mbedtls_entropy_init(&entropy); - if((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) +static const char *REQUEST = "GET " HTTPS_CLIENT_URL " HTTP/1.1\r\n" + "Host: "HTTPS_CLIENT_COMMON_NAME"\r\n" + "User-Agent: esp-idf/1.0 esp32\r\n" + "Authorization: Basic " HTTPS_CLIENT_AUTH "\r\n" + "\r\n"; + +static HTTPS_Client_t sHTTPS_ClientConfig; + +https_client_ret_t https_clientInitialize(); +https_client_ret_t https_clientRetrieveData(); +https_client_ret_t https_clientDeinitialize(); + +https_client_ret_t https_clientInitEmbedTLS(); +https_client_ret_t https_clientConnectToServer(); +https_client_ret_t https_clientValidateServer(); +https_client_ret_t https_clientSendRequest(); + +https_client_ret_t https_clientInitialize() +{ + https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK; + + i32RetHTTPClient = https_clientInitEmbedTLS(); + + if(i32RetHTTPClient == HTTPS_CLIENT_OK) { - ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret); - abort(); + i32RetHTTPClient = https_clientConnectToServer(); } - ESP_LOGI(TAG, "Attaching the certificate bundle..."); - - ret = esp_crt_bundle_attach(&conf); - - if(ret < 0) + if(i32RetHTTPClient == HTTPS_CLIENT_OK) { - ESP_LOGE(TAG, "esp_crt_bundle_attach returned -0x%x\n\n", -ret); - abort(); + i32RetHTTPClient = https_clientValidateServer(); } - ESP_LOGI(TAG, "Setting hostname for TLS session..."); - - /* Hostname set here should match CN in server certificate */ - if((ret = mbedtls_ssl_set_hostname(&ssl, WEB_SERVER)) != 0) + if(i32RetHTTPClient == HTTPS_CLIENT_OK) { - ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret); - abort(); + i32RetHTTPClient = https_clientSendRequest(); } - ESP_LOGI(TAG, "Setting up the SSL/TLS structure..."); - - if((ret = mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT)) != 0) + switch (i32RetHTTPClient) { - ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret); - goto exit; + case HTTPS_CLIENT_ERROR_INIT_EMBEDTLS: + ESP_LOGE(TAG, "Unable to initialize EmbedTLS"); + i32RetHTTPClient = HTTPS_CLIENT_ERROR; + break; + case HTTPS_CLIENT_ERROR_INIT_CONNECT_TWO_SERVER: + ESP_LOGE(TAG, "Unable to connect to server"); + i32RetHTTPClient = HTTPS_CLIENT_ERROR; + break; + case HTTPS_CLIENT_ERROR_INIT_VALIDATE_SERVER: + ESP_LOGE(TAG, "Unable to validate the server"); + i32RetHTTPClient = HTTPS_CLIENT_ERROR; + break; + case HTTPS_CLIENT_ERROR_INIT_SEND_REQUEST: + ESP_LOGE(TAG, "Unable to send request to server"); + i32RetHTTPClient = HTTPS_CLIENT_ERROR; + break; + case HTTPS_CLIENT_OK: + ESP_LOGI(TAG, "HTTPS Client successfully initialized"); + i32RetHTTPClient = HTTPS_CLIENT_OK; + break; + default: + i32RetHTTPClient = HTTPS_CLIENT_ERROR; + ESP_LOGE(TAG, "Unknown error while init"); + break; } - mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED); - mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL); - mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); + return i32RetHTTPClient; +} - if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) +https_client_ret_t https_clientRetrieveData(unsigned char* pu8Data, uint32_t* pu32DataLenght, uint32_t* pu32BytesRead) +{ + https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK; + int32_t i32RetRetrieveData = ESP_OK; + bzero(pu8Data, *pu32DataLenght); + bool bRetriveData = true; + + while (bRetriveData) { - ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret); - goto exit; - } + //Reading HTTP response + i32RetRetrieveData = mbedtls_ssl_read(&sHTTPS_ClientConfig.ssl, (unsigned char *)pu8Data, *pu32DataLenght); - mbedtls_net_init(&server_fd); - - ESP_LOGI(TAG, "Connecting to %s:%s...", WEB_SERVER, WEB_PORT); - - if ((ret = mbedtls_net_connect(&server_fd, WEB_SERVER, - WEB_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) - { - ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret); - goto exit; - } - - ESP_LOGI(TAG, "Connected."); - - mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL); - - ESP_LOGI(TAG, "Performing the SSL/TLS handshake..."); - - while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) - { - if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) + if(i32RetRetrieveData > 0) { - ESP_LOGE(TAG, "mbedtls_ssl_handshake returned -0x%x", -ret); - goto exit; + //Data received + *pu32BytesRead = *pu32BytesRead + i32RetRetrieveData; + *pu32DataLenght = *pu32DataLenght - *pu32BytesRead; + + if(*pu32DataLenght > 0) + { + //buffer not full yet --> read some more + bRetriveData = true; + } + else + { + //buffer full --> stop reading + bRetriveData = false; + } + } + + if(i32RetRetrieveData == 0) + { + //all data read --> stop reading + bRetriveData = false; + } + + if(i32RetRetrieveData == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) + { + //connection is going to be closed + i32RetHTTPClient = HTTPS_CLIENT_ERROR; + bRetriveData = false; + } + } + return i32RetHTTPClient; +} + +https_client_ret_t https_clientDeinitialize() +{ + https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK; + + i32RetHTTPClient = mbedtls_ssl_close_notify(&sHTTPS_ClientConfig.ssl); + + if(i32RetHTTPClient != ESP_OK) + { + ESP_LOGE(TAG, "mbedtls_ssl_close_notify returned 0x%x", i32RetHTTPClient); + } + + mbedtls_ssl_session_reset(&sHTTPS_ClientConfig.ssl); + mbedtls_net_free(&sHTTPS_ClientConfig.server_fd); + + return i32RetHTTPClient; +} + +https_client_ret_t https_clientInitEmbedTLS() { + + https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK; + int32_t i32RetEmbedTLS = ESP_OK; + + mbedtls_ssl_init(&sHTTPS_ClientConfig.ssl); + mbedtls_x509_crt_init(&sHTTPS_ClientConfig.cacert); + mbedtls_ctr_drbg_init(&sHTTPS_ClientConfig.ctr_drbg); + mbedtls_ssl_config_init(&sHTTPS_ClientConfig.conf); + mbedtls_entropy_init(&sHTTPS_ClientConfig.entropy); + + i32RetEmbedTLS = mbedtls_ctr_drbg_seed(&sHTTPS_ClientConfig.ctr_drbg, mbedtls_entropy_func, &sHTTPS_ClientConfig.entropy, NULL, 0); + + if(i32RetEmbedTLS!= ESP_OK) + { + ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", i32RetEmbedTLS); + } + + if(i32RetEmbedTLS == ESP_OK) + { + //Attaching the certificate bundle + i32RetEmbedTLS = esp_crt_bundle_attach(&sHTTPS_ClientConfig.conf); + if(i32RetEmbedTLS != ESP_OK) + { + ESP_LOGE(TAG, "esp_crt_bundle_attach returned 0x%x\n\n", i32RetEmbedTLS); } } - ESP_LOGI(TAG, "Verifying peer X.509 certificate..."); - - if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) + if(i32RetEmbedTLS == ESP_OK) { - /* In real life, we probably want to close connection if ret != 0 */ - ESP_LOGW(TAG, "Failed to verify peer certificate!"); - bzero(buf, sizeof(buf)); - mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", flags); - ESP_LOGW(TAG, "verification info: %s", buf); - } - else { - ESP_LOGI(TAG, "Certificate verified."); + //Setting hostname for TLS session. + i32RetEmbedTLS = mbedtls_ssl_set_hostname(&sHTTPS_ClientConfig.ssl, HTTPS_CLIENT_COMMON_NAME); + // Hostname set here should match CN in server certificate + if(i32RetEmbedTLS != ESP_OK) + { + ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned 0x%x", i32RetEmbedTLS); + } } + if(i32RetEmbedTLS == ESP_OK) + { + //Setting up the SSL/TLS structure + i32RetEmbedTLS = mbedtls_ssl_config_defaults(&sHTTPS_ClientConfig.conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT); - ESP_LOGI(TAG, "Cipher suite is %s", mbedtls_ssl_get_ciphersuite(&ssl)); - - ESP_LOGI(TAG, "Writing HTTP request..."); - - size_t written_bytes = 0; - while(written_bytes < strlen(REQUEST)) { - ret = mbedtls_ssl_write(&ssl, - (const unsigned char *)REQUEST + written_bytes, - strlen(REQUEST) - written_bytes); - if (ret >= 0) { - ESP_LOGI(TAG, "%d bytes written", ret); - written_bytes += ret; - } else if (ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != MBEDTLS_ERR_SSL_WANT_READ) { - ESP_LOGE(TAG, "mbedtls_ssl_write returned -0x%x", -ret); - goto exit; + if(i32RetEmbedTLS != ESP_OK) + { + ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", i32RetEmbedTLS); } } - ESP_LOGI(TAG, "Reading HTTP response..."); + if(i32RetEmbedTLS == ESP_OK) + { + mbedtls_ssl_conf_authmode(&sHTTPS_ClientConfig.conf, MBEDTLS_SSL_VERIFY_REQUIRED); + mbedtls_ssl_conf_ca_chain(&sHTTPS_ClientConfig.conf, &sHTTPS_ClientConfig.cacert, NULL); + mbedtls_ssl_conf_rng(&sHTTPS_ClientConfig.conf, mbedtls_ctr_drbg_random, &sHTTPS_ClientConfig.ctr_drbg); - //do - /// { - len = sizeof(buf) - 1; - bzero(buf, sizeof(buf)); - ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len); - - if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) - // continue; - - if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { - ret = 0; - // break; + i32RetEmbedTLS = mbedtls_ssl_setup(&sHTTPS_ClientConfig.ssl, &sHTTPS_ClientConfig.conf); + if(i32RetEmbedTLS != ESP_OK) + { + ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", i32RetEmbedTLS); } + } - if(ret < 0) + if(i32RetEmbedTLS == ESP_OK) { - ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret); - // break; + mbedtls_net_init(&sHTTPS_ClientConfig.server_fd); } - if(ret == 0) + if (i32RetEmbedTLS != ESP_OK) { - ESP_LOGI(TAG, "connection closed"); - // break; + i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_EMBEDTLS; } - len = ret; + return i32RetHTTPClient; +} - ESP_LOGI(TAG, "%d bytes read", len); +https_client_ret_t https_clientConnectToServer() +{ + https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK; + int32_t i32RetServerConnect = ESP_OK; - /* Print response directly to stdout as it is read */ - for(int i = 0; i < len; i++) { - putchar(buf[i]); - //printf("0x%x ", buf[i]); - } - printf("\n"); - - // } while(1); - - ret = mbedtls_ssl_close_notify(&ssl); - - if(ret != 0) - { - ESP_LOGE(TAG, "mbedtls_ssl_close_notify returned 0x%x", ret); - } - - -exit: - mbedtls_ssl_session_reset(&ssl); - mbedtls_net_free(&server_fd); - - if(ret != 0) + //Connecting to server + i32RetServerConnect = mbedtls_net_connect(&sHTTPS_ClientConfig.server_fd, HTTPS_CLIENT_COMMON_NAME, HTTPS_CLIENT_PORT, MBEDTLS_NET_PROTO_TCP); + if (i32RetServerConnect != ESP_OK) { - mbedtls_strerror(ret, buf, 100); - ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf); + ESP_LOGE(TAG, "mbedtls_net_connect returned %x", i32RetServerConnect); } - putchar('\n'); // JSON output doesn't have a newline at end + if(i32RetServerConnect == ESP_OK) + { + mbedtls_ssl_set_bio(&sHTTPS_ClientConfig.ssl, &sHTTPS_ClientConfig.server_fd, mbedtls_net_send, mbedtls_net_recv, NULL); - static int request_count; - ESP_LOGI(TAG, "Completed %d requests", ++request_count); + //Performing the SSL/TLS handshake + while ((i32RetServerConnect = mbedtls_ssl_handshake(&sHTTPS_ClientConfig.ssl)) != 0) + { + if ((i32RetServerConnect != MBEDTLS_ERR_SSL_WANT_READ) && (i32RetServerConnect != MBEDTLS_ERR_SSL_WANT_WRITE)) + { + ESP_LOGE(TAG, "mbedtls_ssl_handshake returned 0x%x", i32RetServerConnect); + } + } + } + + if(i32RetServerConnect != ESP_OK) + { + i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_CONNECT_TWO_SERVER; + } + return i32RetHTTPClient; +} + +https_client_ret_t https_clientValidateServer() +{ + https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK; + int32_t i32RetValidateServer = ESP_OK; + + //Verifying peer X.509 certificate + if ((i32RetValidateServer = mbedtls_ssl_get_verify_result(&sHTTPS_ClientConfig.ssl)) != 0) + { + ESP_LOGE(TAG, "Failed to verify peer certificate!"); + } + + if(i32RetValidateServer != ESP_OK) + { + i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_VALIDATE_SERVER; + } + return i32RetHTTPClient; +} + +https_client_ret_t https_clientSendRequest() +{ + https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK; + int32_t i32RetSendRequest = ESP_OK; + uint32_t u32WrittenBytes = 0; + bool bWrite = true; + + //Writing HTTP request + while((u32WrittenBytes < strlen(REQUEST)) && bWrite) + { + i32RetSendRequest = mbedtls_ssl_write(&sHTTPS_ClientConfig.ssl, + (const unsigned char *)REQUEST + u32WrittenBytes, + strlen(REQUEST) - u32WrittenBytes); + if (i32RetSendRequest >= 0) + { + //bytes written + u32WrittenBytes += i32RetSendRequest; + } else if (i32RetSendRequest != MBEDTLS_ERR_SSL_WANT_WRITE && i32RetSendRequest != MBEDTLS_ERR_SSL_WANT_READ) { + ESP_LOGE(TAG, "mbedtls_ssl_write returned 0x%x", i32RetSendRequest); + bWrite = false; + } + } + + if(bWrite == false) + { + i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_SEND_REQUEST; + } + return i32RetHTTPClient; +} - ESP_LOGI(TAG, "going into endless loop!"); +static void https_get_task(void *pvParameters) +{ - while(1) { + https_clientInitialize(); + + uint32_t u32BufferLenght = 1024U; + unsigned char buffer[1024U]; + uint32_t u32BytesRead = 0; + + https_clientRetrieveData(buffer, &u32BufferLenght, &u32BytesRead); + + // Print response directly to stdout as it is read + for(uint32_t i = 0; i < u32BytesRead; i++) { + putchar(buffer[i]); + // printf("%x ", buffer[i]); + } + printf("\n END \n"); + + https_clientDeinitialize(); + + while(1) + { }