ESP32-Mesh-OTA/components/mesh_ota/HTTPS_Client.c

/**
* @file HTTPS_Client.c
* @brief Used to download the OTA image from the server
* @author Hendrik Schutter
* @date 20.01.2021
*
* Additional Infos: Connects via HTTPS and HTTPS Basic Auth to the Server.
* Downloads the image in segments
*/

#include "HTTPS_Client.h"

static const char *TAG = "https_client";

//HTTP GET data
static const char *REQUEST = "GET " CONFIG_OTA_HTTPS_URL " HTTP/1.1\r\n"
                             "Host: "CONFIG_OTA_HTTPS_SERVER_COMMON_NAME"\r\n"
                             "User-Agent: esp-idf/1.0 esp32\r\n"
                             "Authorization: Basic " CONFIG_OTA_HTTPS_AUTH "\r\n"
                             "\r\n";


static HTTPS_Client_t sHTTPS_ClientConfig;

https_client_ret_t https_clientInitEmbedTLS(void);
https_client_ret_t errHTTPSClientConnectToServer(void);
https_client_ret_t errHTTPSClientValidateServer(void);
https_client_ret_t errHTTPSClientSendRequest(void);

/**
* @fn https_client_ret_t errHTTPSClientInitialize(void)
* @brief Initialize the client
* @param void
* @return HTTPS_Client error code
* @author Hendrik Schutter
* @date 20.01.2021
*
* Initialize embedTLS
*/
https_client_ret_t errHTTPSClientInitialize(void)
{
    https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK;

    i32RetHTTPClient = https_clientInitEmbedTLS();

    if (i32RetHTTPClient == HTTPS_CLIENT_ERROR_INIT_EMBEDTLS)
        {
            ESP_LOGE(TAG, "Unable to initialize EmbedTLS");
            i32RetHTTPClient = HTTPS_CLIENT_ERROR;
        }
    return i32RetHTTPClient;
}

/**
* @fn https_client_ret_t errHTTPSClientRetrieveData(char* const cpu8Data, const uint32_t* const cpcu32DataLenght, uint32_t* pu32BytesRead)
* @brief receive a image segment from server
* @param cpu8Data data buffer
* @param cpcu32DataLenght desired byte amount
* @param pu32BytesRead actual received byte amount
* @return HTTPS_Client error code
* @author Hendrik Schutter
* @date 20.01.2021
*
* Read segement and handle all events like EOF or timeout
*/
https_client_ret_t errHTTPSClientRetrieveData(char* const cpu8Data, const uint32_t* const cpcu32DataLenght, uint32_t* pu32BytesRead)
{
    https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK;
    int32_t i32RetRetrieveData = ESP_OK;
    bool bRetriveData = true;

    bzero(cpu8Data, *cpcu32DataLenght);
    (*pu32BytesRead) = 0U;

    while (bRetriveData)
        {
            mbedtls_ssl_conf_read_timeout(&sHTTPS_ClientConfig.conf, HTTPS_READ_TIMEOUT); //set timeout
            //Reading HTTP response
            i32RetRetrieveData = mbedtls_ssl_read(&sHTTPS_ClientConfig.ssl, (unsigned char *)(cpu8Data+(*pu32BytesRead)), ((*cpcu32DataLenght)-(*pu32BytesRead)));

            if(i32RetRetrieveData > 0)
                {
                    //Data received
                    *pu32BytesRead = *pu32BytesRead + i32RetRetrieveData;

                    if(*cpcu32DataLenght > 0)
                        {
                            //buffer not full yet --> read some more
                            bRetriveData = true;
                        }
                    else
                        {
                            //buffer full --> stop reading
                            bRetriveData = false;
                        }
                }

            if(i32RetRetrieveData == 0)
                {
                    //all data read --> stop reading
                    bRetriveData = false;
                    pu32BytesRead = 0;
                }

            if(i32RetRetrieveData == MBEDTLS_ERR_SSL_TIMEOUT )
                {
                    //timeout --> stop reading
                    bRetriveData = false;
                }

            if(i32RetRetrieveData == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
                {
                    //connection is going to be closed
                    i32RetHTTPClient = HTTPS_CLIENT_ERROR;
                    bRetriveData = false;
                }
        }
    return i32RetHTTPClient;
}

/**
* @fn https_client_ret_t errHTTPSClientReset(void)
* @brief reset client for next receive of image
* @param void
* @return HTTPS_Client error code
* @author Hendrik Schutter
* @date 20.01.2021
*
* reset session
*/
https_client_ret_t errHTTPSClientReset(void)
{
    https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK;

    i32RetHTTPClient = mbedtls_ssl_close_notify(&sHTTPS_ClientConfig.ssl); //close session

    if(i32RetHTTPClient != ESP_OK)
        {
            ESP_LOGE(TAG, "mbedtls_ssl_close_notify returned 0x%x", i32RetHTTPClient);
        }

    mbedtls_ssl_session_reset(&sHTTPS_ClientConfig.ssl); //reset embedssl
    mbedtls_net_free(&sHTTPS_ClientConfig.server_fd); //free ram

    return i32RetHTTPClient;
}

/**
* @fn https_client_ret_t https_clientInitEmbedTLS(void)
* @brief init embedTLS
* @param void
* @return HTTPS_Client error code
* @author Hendrik Schutter
* @date 20.01.2021
*
* attach certs for tls
*/
https_client_ret_t https_clientInitEmbedTLS(void)
{
    https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK;
    int32_t i32RetEmbedTLS = ESP_OK;
    static bool bAlreadySetup = false;

    mbedtls_ssl_init(&sHTTPS_ClientConfig.ssl);
    mbedtls_x509_crt_init(&sHTTPS_ClientConfig.cacert);
    mbedtls_ctr_drbg_init(&sHTTPS_ClientConfig.ctr_drbg);
    mbedtls_ssl_config_init(&sHTTPS_ClientConfig.conf);
    mbedtls_entropy_init(&sHTTPS_ClientConfig.entropy);

    i32RetEmbedTLS = mbedtls_ctr_drbg_seed(&sHTTPS_ClientConfig.ctr_drbg, mbedtls_entropy_func, &sHTTPS_ClientConfig.entropy, NULL, 0);

    if(i32RetEmbedTLS!= ESP_OK)
        {
            ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", i32RetEmbedTLS);
        }

    if(i32RetEmbedTLS == ESP_OK)
        {
            //Attaching the certificate bundle
            i32RetEmbedTLS = esp_crt_bundle_attach(&sHTTPS_ClientConfig.conf);
            if(i32RetEmbedTLS != ESP_OK)
                {
                    ESP_LOGE(TAG, "esp_crt_bundle_attach returned 0x%x\n\n", i32RetEmbedTLS);
                }
        }

    if(i32RetEmbedTLS == ESP_OK)
        {
            //Setting hostname for TLS session.
            i32RetEmbedTLS = mbedtls_ssl_set_hostname(&sHTTPS_ClientConfig.ssl, CONFIG_OTA_HTTPS_SERVER_COMMON_NAME);
            // Hostname set here should match CN in server certificate
            if(i32RetEmbedTLS != ESP_OK)
                {
                    ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned 0x%x", i32RetEmbedTLS);
                }
        }
    if(i32RetEmbedTLS == ESP_OK)
        {
            //Setting up the SSL/TLS structure
            i32RetEmbedTLS = mbedtls_ssl_config_defaults(&sHTTPS_ClientConfig.conf,
                             MBEDTLS_SSL_IS_CLIENT,
                             MBEDTLS_SSL_TRANSPORT_STREAM,
                             MBEDTLS_SSL_PRESET_DEFAULT);

            if(i32RetEmbedTLS != ESP_OK)
                {
                    ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", i32RetEmbedTLS);
                }
        }

    if(i32RetEmbedTLS == ESP_OK)
        {
            mbedtls_ssl_conf_authmode(&sHTTPS_ClientConfig.conf, MBEDTLS_SSL_VERIFY_REQUIRED);
            mbedtls_ssl_conf_ca_chain(&sHTTPS_ClientConfig.conf, &sHTTPS_ClientConfig.cacert, NULL);
            mbedtls_ssl_conf_rng(&sHTTPS_ClientConfig.conf, mbedtls_ctr_drbg_random, &sHTTPS_ClientConfig.ctr_drbg);

            if (bAlreadySetup == false) //check if mbedtls_ssl_setup was called before
                {
                    i32RetEmbedTLS = mbedtls_ssl_setup(&sHTTPS_ClientConfig.ssl, &sHTTPS_ClientConfig.conf); //call this only once
                    if(i32RetEmbedTLS != ESP_OK)
                        {
                            ESP_LOGE(TAG, "mbedtls_ssl_setup returned 0x%x\n", i32RetEmbedTLS);
                        }
                    else
                        {
                            bAlreadySetup = true;
                        }
                }
        }

    if(i32RetEmbedTLS == ESP_OK)
        {
            mbedtls_net_init(&sHTTPS_ClientConfig.server_fd);
        }

    if (i32RetEmbedTLS != ESP_OK)
        {
            i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_EMBEDTLS;
        }

    return i32RetHTTPClient;
}

/**
* @fn https_client_ret_t errHTTPSClientConnectToServer(void)
* @brief connect to server
* @param void
* @return HTTPS_Client error code
* @author Hendrik Schutter
* @date 20.01.2021
*
* open TLS session
*/
https_client_ret_t errHTTPSClientConnectToServer(void)
{
    https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK;
    int32_t i32RetServerConnect = ESP_OK;

    //Connecting to server
    i32RetServerConnect = mbedtls_net_connect(&sHTTPS_ClientConfig.server_fd, CONFIG_OTA_HTTPS_SERVER_COMMON_NAME, CONFIG_OTA_HTTPS_SERVER_PORT, MBEDTLS_NET_PROTO_TCP);
    if (i32RetServerConnect != ESP_OK)
        {
            ESP_LOGE(TAG, "mbedtls_net_connect returned %x", i32RetServerConnect);
        }

    if(i32RetServerConnect == ESP_OK)
        {
            mbedtls_ssl_set_bio(&sHTTPS_ClientConfig.ssl, &sHTTPS_ClientConfig.server_fd, mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout);

            //Performing the SSL/TLS handshake
            while ((i32RetServerConnect = mbedtls_ssl_handshake(&sHTTPS_ClientConfig.ssl)) != 0)
                {
                    if ((i32RetServerConnect != MBEDTLS_ERR_SSL_WANT_READ) && (i32RetServerConnect != MBEDTLS_ERR_SSL_WANT_WRITE))
                        {
                            ESP_LOGE(TAG, "mbedtls_ssl_handshake returned 0x%x", i32RetServerConnect);
                        }
                }
        }

    if(i32RetServerConnect != ESP_OK)
        {
            i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_CONNECT_TWO_SERVER;
        }
    return i32RetHTTPClient;
}

/**
* @fn https_client_ret_t errHTTPSClientValidateServer(void)
* @brief validate server
* @param void
* @return HTTPS_Client error code
* @author Hendrik Schutter
* @date 20.01.2021
*
* check CDN and cert
*/
https_client_ret_t errHTTPSClientValidateServer(void)
{
    https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK;
    int32_t i32RetValidateServer = ESP_OK;

    //Verifying peer X.509 certificate
    if ((i32RetValidateServer = mbedtls_ssl_get_verify_result(&sHTTPS_ClientConfig.ssl)) != 0)
        {
            ESP_LOGE(TAG, "Failed to verify peer certificate!");
        }

    if(i32RetValidateServer != ESP_OK)
        {
            i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_VALIDATE_SERVER;
        }
    return i32RetHTTPClient;
}

/**
* @fn https_client_ret_t errHTTPSClientSendRequest(void)
* @brief send request to server
* @param void
* @return HTTPS_Client error code
* @author Hendrik Schutter
* @date 20.01.2021
*
* send HTTP GET request
*/
https_client_ret_t errHTTPSClientSendRequest(void)
{
    https_client_ret_t i32RetHTTPClient = HTTPS_CLIENT_OK;
    int32_t i32RetSendRequest = ESP_OK;
    uint32_t u32WrittenBytes = 0;
    bool bWrite = true; //flag to stop loop

    //Writing HTTP request
    while((u32WrittenBytes < strlen(REQUEST)) && bWrite)
        {
            i32RetSendRequest = mbedtls_ssl_write(&sHTTPS_ClientConfig.ssl,
                                                  (const unsigned char *)REQUEST + u32WrittenBytes,
                                                  strlen(REQUEST) - u32WrittenBytes);
            if (i32RetSendRequest >= 0)
                {
                    //bytes written
                    u32WrittenBytes += i32RetSendRequest;
                }
            else if (i32RetSendRequest != MBEDTLS_ERR_SSL_WANT_WRITE && i32RetSendRequest != MBEDTLS_ERR_SSL_WANT_READ)
                {
                    ESP_LOGE(TAG, "mbedtls_ssl_write returned 0x%x", i32RetSendRequest);
                    bWrite = false;
                }
        }

    if(bWrite == false)
        {
            i32RetHTTPClient = HTTPS_CLIENT_ERROR_INIT_SEND_REQUEST;
        }
    return i32RetHTTPClient;
}