Skip to content

This code example demonstrates implementing a secure TCP server using the AnyCloud SDK for PSoC 6 MCU and CYW43xxx connectivity devices.

License

Notifications You must be signed in to change notification settings

Infineon/mtb-example-wifi-secure-tcp-server

Repository files navigation

Secure TCP server

This code example demonstrates the implementation of a secure TCP server with PSoC™ 6 MCU and AIROC™ CYW43xxx Wi-Fi & Bluetooth® combo chips.

In this example, the TCP server establishes a secure connection with a TCP client through SSL handshake. Once the SSL handshake completes successfully, the server allows the user to send LED ON/OFF command to the TCP client; the client responds by sending an acknowledgement message to the server. The Wi-Fi device can be brought up in either STA interface or soft AP interface mode. Additionally, this code example can be configured to work with IPv4 or link-local IPv6 addressing mode.

This example uses the Wi-Fi Core FreeRTOS lwIP mbedtls library of the SDK. This library enables application development based on Wi-Fi, by pulling wifi-connection-manager, FreeRTOS, lwIP, mbed TLS, secure sockets and other dependent modules. The secure sockets library provides an easy-to-use API by abstracting the network stack (lwIP) and the security stack (mbed TLS).

View this README on GitHub.

Provide feedback on this code example.

Requirements

Supported toolchains (make variable 'TOOLCHAIN')

  • GNU Arm® Embedded Compiler v11.3.1 (GCC_ARM) – Default value of TOOLCHAIN
  • Arm® Compiler v6.16 (ARM)
  • IAR C/C++ Compiler v9.30.1 (IAR)

Supported kits (make variable 'TARGET')

Hardware setup

This example uses the board's default configuration. See the kit user guide to ensure that the board is configured correctly.

Note: The PSoC™ 6 Bluetooth® LE Pioneer Kit (CY8CKIT-062-BLE) and the PSoC™ 6 Wi-Fi Bluetooth® Pioneer Kit (CY8CKIT-062-WIFI-BT) ship with KitProg2 installed. ModusToolbox™ requires KitProg3. Before using this code example, make sure that the board is upgraded to KitProg3. The tool and instructions are available in the Firmware Loader GitHub repository. If you do not upgrade, you will see an error like "unable to find CMSIS-DAP device" or "KitProg firmware is out of date".

Software setup

See the ModusToolbox™ tools package installation guide for information about installing and configuring the tools package. Install a terminal emulator if you don't have one. Instructions in this document use Tera Term.

Install a Python interpreter if you do not have one. This code example is tested using Python 3.7.7.

Using the code example

Create the project

The ModusToolbox™ tools package provides the Project Creator as both a GUI tool and a command line tool.

Use Project Creator GUI
  1. Open the Project Creator GUI tool.

    There are several ways to do this, including launching it from the dashboard or from inside the Eclipse IDE. For more details, see the Project Creator user guide (locally available at {ModusToolbox™ install directory}/tools_{version}/project-creator/docs/project-creator.pdf).

  2. On the Choose Board Support Package (BSP) page, select a kit supported by this code example. See Supported kits.

    Note: To use this code example for a kit not listed here, you may need to update the source files. If the kit does not have the required resources, the application may not work.

  3. On the Select Application page:

    a. Select the Applications(s) Root Path and the Target IDE.

    Note: Depending on how you open the Project Creator tool, these fields may be pre-selected for you.

    b. Select this code example from the list by enabling its check box.

    Note: You can narrow the list of displayed examples by typing in the filter box.

    c. (Optional) Change the suggested New Application Name and New BSP Name.

    d. Click Create to complete the application creation process.

Use Project Creator CLI

The 'project-creator-cli' tool can be used to create applications from a CLI terminal or from within batch files or shell scripts. This tool is available in the {ModusToolbox™ install directory}/tools_{version}/project-creator/ directory.

Use a CLI terminal to invoke the 'project-creator-cli' tool. On Windows, use the command-line 'modus-shell' program provided in the ModusToolbox™ installation instead of a standard Windows command-line application. This shell provides access to all ModusToolbox™ tools. You can access it by typing "modus-shell" in the search box in the Windows menu. In Linux and macOS, you can use any terminal application.

The following example clones the "Secure TCP Server" application with the desired name "SecureTcpServer" configured for the CY8CPROTO-062S2-43439 BSP into the specified working directory, C:/mtb_projects:

project-creator-cli --board-id CY8CPROTO-062S2-43439 --app-id mtb-example-wifi-secure-tcp-server --user-app-name SecureTcpServer --target-dir "C:/mtb_projects"

Update the above paragraph and commands to match your CE.

The 'project-creator-cli' tool has the following arguments:

Argument Description Required/optional
--board-id Defined in the field of the BSP manifest Required
--app-id Defined in the field of the CE manifest Required
--target-dir Specify the directory in which the application is to be created if you prefer not to use the default current working directory Optional
--user-app-name Specify the name of the application if you prefer to have a name other than the example's default name Optional

Note: The project-creator-cli tool uses the git clone and make getlibs commands to fetch the repository and import the required libraries. For details, see the "Project creator tools" section of the ModusToolbox™ tools package user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mtb_user_guide.pdf).

Open the project

After the project has been created, you can open it in your preferred development environment.

Eclipse IDE

If you opened the Project Creator tool from the included Eclipse IDE, the project will open in Eclipse automatically.

For more details, see the Eclipse IDE for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_ide_user_guide.pdf).

Visual Studio (VS) Code

Launch VS Code manually, and then open the generated {project-name}.code-workspace file located in the project directory.

For more details, see the Visual Studio Code for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_vscode_user_guide.pdf).

Keil µVision

Double-click the generated {project-name}.cprj file to launch the Keil µVision IDE.

For more details, see the Keil µVision for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_uvision_user_guide.pdf).

IAR Embedded Workbench

Open IAR Embedded Workbench manually, and create a new project. Then select the generated {project-name}.ipcf file located in the project directory.

For more details, see the IAR Embedded Workbench for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_iar_user_guide.pdf).

Command line

If you prefer to use the CLI, open the appropriate terminal, and navigate to the project directory. On Windows, use the command-line 'modus-shell' program; on Linux and macOS, you can use any terminal application. From there, you can run various make commands.

For more details, see the ModusToolbox™ tools package user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mtb_user_guide.pdf).

Operation

If using a PSoC™ 64 "Secure" MCU kit (like CY8CKIT-064B0S2-4343W), the PSoC™ 64 device must be provisioned with keys and policies before being programmed. Follow the instructions in the "Secure Boot" SDK user guide to provision the device. If the kit is already provisioned, copy-paste the keys and policy folder to the application folder.

Note: Use policy_single_CM0_CM4_smif_swap.json policy instead of using the default one "policy_single_CM0_CM4_swap.json" to provision CY8CKIT-064B0S2-4343W device.

  1. Connect the board to your PC using the provided USB cable through the KitProg3 USB connector.

  2. The kit can be configured to run either in the Wi-Fi STA interface mode or in AP interface mode. The interface mode is configured using the USE_AP_INTERFACE macro defined in the network_credentials.h file. Based on the desired interface mode, do the following:

    Kit in STA mode (default interface):

    1. Set the USE_AP_INTERFACE macro to 0. This is the default mode.

    2. Modify the WIFI_SSID, WIFI_PASSWORD, and WIFI_SECURITY_TYPE macros to match with that of the Wi-Fi network credentials that you want to connect. These macros are defined in the network_credentials.h file. Ensure that the Wi-Fi network that you are connecting to is configured as a private network for the proper functioning of this example.

    Kit in AP mode:

    1. Set the USE_AP_INTERFACE macro to 1.

    2. Update SOFTAP_SSID, SOFTAP_PASSWORD, and SOFTAP_SECURITY_TYPE as desired. This step is optional.

  3. Configure the IP addressing mode. By default, IPv4-based addressing is used. To use IPv6 addressing mode, set the USE_IPV6_ADDRESS macro defined in the secure_tcp_server.h file as follows:

    #define USE_IPV6_ADDRESS				      (1)
    
  4. Open a terminal program and select the KitProg3 COM port. Set the serial port parameters to 8N1 and 115200 baud.

  5. Program the board using one of the following:

    Using Eclipse IDE
    1. Select the application project in the Project Explorer.

    2. In the Quick Panel, scroll down, and click <Application Name> Program (KitProg3_MiniProg4).

    In other IDEs

    Follow the instructions in your preferred IDE.

    Using CLI

    From the terminal, execute the make program command to build and program the application using the default toolchain to the default target. The default toolchain is specified in the application's Makefile but you can override this value manually:

    make program TOOLCHAIN=<toolchain>
    

    Example:

    make program TOOLCHAIN=GCC_ARM
    

    After programming, the application starts automatically. Confirm that the text as shown in either one of the following figures is displayed on the UART terminal. Note that the Wi-Fi SSID and the IP address assigned will be different based on the network that you have connected to; in AP mode, the AP credentials will be different based on your configuration in Step 2.

    Figure 1. UART terminal showing the Wi-Fi connection status (IPv4 address and STA mode)


    Figure 2. UART terminal showing the Wi-Fi connection status (IPv6 address and STA mode)


    Figure 3. UART terminal showing the Wi-Fi connection status (IPv4 address and AP mode)

    Similarly, when the CE is configured for IPv6 and AP mode, the IPv4 address displayed in Figure 3 will be replaced by the IPv6 address.

  6. Connect your PC to the Wi-Fi AP that you have configured in Step 2:

    • In STA mode: Connect the computer to the same AP to which the kit is connected.

    • In AP mode: Connect the computer to the kit's AP.

    Make a note of the IP address assigned to the kit. Note that the type of IP address (IPv4 or IPv6) assigned will be based on the IP addressing mode configured in Step 3.

  7. From the project directory ({project directory}/python-tcp-secure-client folder), open a command shell and run the Python TCP secure client (tcp_secure_client.py). In the command shell opened in the project directory, type in the following command based on the IP addressing mode configuration:

    For IPv4-based addressing:

    python tcp_secure_client.py ipv4 <IPv4 address of the kit>
    

    For IPv6-based addressing:

    python tcp_secure_client.py ipv6 <IPv6 address of the kit>
    

    Note: Ensure that the firewall settings of your computer allow access to the Python software so that it can communicate with the TCP server. For more details on enabling Python access, see this community thread.

  8. Press the user button (CYBSP_USER_BTN) to send LED ON/OFF command to the Python TCP client.

    Each user button press will issue the LED ON or LED OFF commands alternately. The client in turn sends an acknowledgement message back to the server.

    Figure 4 and Figure 5 show the TCP server output in IPv4 addressing mode, when the CE is configured in STA and AP mode respectively. Figure 6 shows the TCP client output in IPv4 addressing mode for both AP and STA mode. When the CE is configured in STA mode, Figure 7 and Figure 8 show the TCP server and TCP client outputs respectively in IPv6 addressing mode.

    When the CE is configured in AP and IPv6 mode, the only change from the Figure 4 is the IPv6 address being displayed instead of IPv4.

    Figure 4. TCP server output - STA mode (IPv4 addressing mode)


    Figure 5. TCP server output - AP mode (IPv4 addressing mode)


    Figure 6. TCP client output (IPv4 addressing mode)


    Figure 7. TCP server output (IPv6 addressing mode)


    Figure 8. TCP client output (IPv6 addressing mode)

    Note: Instead of using the Python TCP client (tcp_secure_client.py), alternatively you can use the example mtb-example-wifi-secure-tcp-client to run as TCP client on the second kit. See the code example documentation to learn how to use the example.

Debugging

You can debug the example to step through the code. In the IDE, use the <Application Name> Debug (KitProg3_MiniProg4) configuration in the Quick Panel. For details, see the "Program and debug" section in the Eclipse IDE for ModusToolbox™ software user guide.

Note: (Only while debugging) On the CM4 CPU, some code in main() may execute before the debugger halts at the beginning of main(). This means that some code executes twice – once before the debugger stops execution, and again after the debugger resets the program counter to the beginning of main(). See KBA231071 to learn about this and for the workaround.

Design and implementation

Resources and settings

This example uses the Arm® Cortex®-M4 (CM4) CPU of PSoC™ 6 MCU to execute an RTOS task: TCP secure server task. At device reset, the default Cortex®-M0+ (CM0+) application enables the CM4 CPU and configures the CM0+ CPU to go to sleep.

In this example, the TCP server establishes a secure connection with a TCP client through SSL handshake. During the SSL handshake, the server presents its SSL certificate for verification, and verifies the incoming client identity. The server's SSL certificate used in this example is a self-signed SSL certificate. See Creating a self-signed certificate for more details.

Once the SSL handshake completes successfully, the server allows the user to send LED ON/OFF commands to the TCP client; the client responds by sending an acknowledgement message to the server.

Note: The CY8CPROTO-062-4343W board shares the same GPIO for the user button (CYBSP_USER_BTN) and the CYW4343W host wake pin. Because this example uses the GPIO for interfacing with the user button, the SDIO interrupt to wake up the host is disabled by setting CY_WIFI_HOST_WAKE_SW_FORCE to '0' in the Makefile through the DEFINES variable.

Table 1. Application resources

Resource Alias/object Purpose
SDIO (HAL) sdio_obj SDIO interface for Wi-Fi connectivity
UART (HAL) cy_retarget_io_uart_obj UART HAL object used by retarget-io for debug UART port
BUTTON (BSP) CYBSP_USER_BTN User button used to send LED ON/OFF commands to the TCP client


Creating a self-signed SSL certificate

The TCP server demonstrated in this example uses a self-signed SSL certificate. This requires OpenSSL which is already preloaded in the ModusToolbox™ software installation. Self-signed SSL certificate means that there is no third-party certificate issuing authority, commonly referred to as CA, involved in the authentication of the server. Clients connecting to the server must have an exact copy of the SSL certificate to verify the server's identity.

Do the following to generate a self-signed SSL certificate:

Generate SSL certificate and private key

  1. Run the following command with a CLI (on Windows, use the command line "modus-shell" program provided in the ModusToolbox™ installation instead of a standard Windows command-line application) to generate the CA certificate using the following commands. Follow the instructions in the command window to provide the details required.

    openssl ecparam -name prime256v1 -genkey -noout -out root_ca.key
    openssl req -new -x509 -sha256 -key root_ca.key -out root_ca.crt -days 1000
    
  2. Generate the server key pair and server certificate (signed using the CA certificate from Step 1). Follow the instructions in the command window to provide the details required.

    openssl ecparam -name prime256v1 -genkey -noout -out server.key
    openssl req -new -sha256 -key server.key -out server.csr
    openssl x509 -req -in server.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out server.crt -days 1000 -sha256
    
  3. Follow the instructions in the command window to provide the details required for creating the SSL certificate and private key.

    The server.crt file is your server's certificate and server.key is your server's private key.

Related resources

Resources Links
Application notes AN228571 – Getting started with PSoC™ 6 MCU on ModusToolbox™
AN215656 – PSoC™ 6 MCU: Dual-CPU system design
AN79953 – Getting started with PSoC™ 4
AN85951 – PSoC™ 4 and PSoC™ 6 MCU CAPSENSE™ design guide
Code examples Using ModusToolbox™ on GitHub
Device documentation PSoC™ 6 MCU datasheets
PSoC™ 6 technical reference manuals
PSoC™ 4 datasheets
PSoC™ 4 technical reference manuals
Development kits Select your kits from the Evaluation board finder.
Libraries on GitHub mtb-pdl-cat1 – PSoC™ 6 Peripheral Driver Library (PDL)
mtb-hal-cat1 – Hardware Abstraction Layer (HAL) library
retarget-io – Utility library to retarget STDIO messages to a UART port
mtb-pdl-cat2 – PSoC™ 4 Peripheral Driver Library (PDL)
mtb-hal-cat2 – Hardware Abstraction Layer (HAL) library
Middleware on GitHub capsense – CAPSENSE™ library and documents
psoc6-middleware – Links to all PSoC™ 6 MCU middleware
Tools ModusToolbox™ – ModusToolbox™ software is a collection of easy-to-use libraries and tools enabling rapid development with Infineon MCUs for applications ranging from wireless and cloud-connected systems, edge AI/ML, embedded sense and control, to wired USB connectivity using PSoC™ Industrial/IoT MCUs, AIROC™ Wi-Fi and Bluetooth® connectivity devices, XMC™ Industrial MCUs, and EZ-USB™/EZ-PD™ wired connectivity controllers. ModusToolbox™ incorporates a comprehensive set of BSPs, HAL, libraries, configuration tools, and provides support for industry-standard IDEs to fast-track your embedded application development.

Other resources

Infineon provides a wealth of data at www.infineon.com to help you select the right device, and quickly and effectively integrate it into your design.

For PSoC™ 6 MCU devices, see How to design with PSoC™ 6 MCU - KBA223067 in the Infineon Developer community.

Document history

Document title: CE229254 - Secure TCP server

Version Description of change
1.0.0 New code example
1.1.0 Updated for ModusToolbox™ 2.1
Code updated to use secure sockets and Wi-Fi connection manager libraries
1.2.0 Makefile updated to sync with BSP changes.
Code updated to use RTOS task notification
1.3.0 Updated to add link-local IPv6 support
2.0.0 Major update to support ModusToolbox™ v2.2, added support for new kits
Added soft AP Wi-Fi interface mode
This version is not backward compatible with ModusToolbox™ software v2.1.
Updated to support FreeRTOS v10.3.1
2.1.0 Updated to FreeRTOS v10.4.3
Added support for new kits
3.0.0 Updated to support ModusToolbox™ v2.4
Added support for new kits
Updated the BSPs to v3.X
4.0.0 Major update to support ModusToolbox™ v3.0 and BSPs v4.X. This version is not backward compatible with previous versions of ModusToolbox™
4.1.0 Added support for CY8CKIT-064B0S2-4343W
4.2.0 Added support for CY8CEVAL-062S2-LAI-43439M2
4.3.0 Added support for CY8CPROTO-062S2-43439
4.4.0 Added support for CY8CEVAL-062S2-MUR-4373EM2 and CY8CEVAL-062S2-MUR-4373M2
4.5.0 Added support for KIT_XMC72_EVK_MUR_43439M2
Updated to support mbedtls v3.4.0 and ModusToolbox™ v3.1.
4.6.0 Added support for CY8CEVAL-062S2-CYW43022CUB
4.7.0 Added support for CY8CKIT-062S2-AI
4.8.0 Added support for CY8CEVAL-062S2-CYW955513SDM2WLIPA
4.8.1 Disabled D-cache for XMC7000 based BSPs

All referenced product or service names and trademarks are the property of their respective owners.

The Bluetooth® word mark and logos are registered trademarks owned by Bluetooth SIG, Inc., and any use of such marks by Infineon is under license.


© Cypress Semiconductor Corporation, 2020-2024. This document is the property of Cypress Semiconductor Corporation, an Infineon Technologies company, and its affiliates ("Cypress"). This document, including any software or firmware included or referenced in this document ("Software"), is owned by Cypress under the intellectual property laws and treaties of the United States and other countries worldwide. Cypress reserves all rights under such laws and treaties and does not, except as specifically stated in this paragraph, grant any license under its patents, copyrights, trademarks, or other intellectual property rights. If the Software is not accompanied by a license agreement and you do not otherwise have a written agreement with Cypress governing the use of the Software, then Cypress hereby grants you a personal, non-exclusive, nontransferable license (without the right to sublicense) (1) under its copyright rights in the Software (a) for Software provided in source code form, to modify and reproduce the Software solely for use with Cypress hardware products, only internally within your organization, and (b) to distribute the Software in binary code form externally to end users (either directly or indirectly through resellers and distributors), solely for use on Cypress hardware product units, and (2) under those claims of Cypress's patents that are infringed by the Software (as provided by Cypress, unmodified) to make, use, distribute, and import the Software solely for use with Cypress hardware products. Any other use, reproduction, modification, translation, or compilation of the Software is prohibited.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CYPRESS MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS DOCUMENT OR ANY SOFTWARE OR ACCOMPANYING HARDWARE, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. No computing device can be absolutely secure. Therefore, despite security measures implemented in Cypress hardware or software products, Cypress shall have no liability arising out of any security breach, such as unauthorized access to or use of a Cypress product. CYPRESS DOES NOT REPRESENT, WARRANT, OR GUARANTEE THAT CYPRESS PRODUCTS, OR SYSTEMS CREATED USING CYPRESS PRODUCTS, WILL BE FREE FROM CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, DATA LOSS OR THEFT, OR OTHER SECURITY INTRUSION (collectively, "Security Breach"). Cypress disclaims any liability relating to any Security Breach, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any Security Breach. In addition, the products described in these materials may contain design defects or errors known as errata which may cause the product to deviate from published specifications. To the extent permitted by applicable law, Cypress reserves the right to make changes to this document without further notice. Cypress does not assume any liability arising out of the application or use of any product or circuit described in this document. Any information provided in this document, including any sample design information or programming code, is provided only for reference purposes. It is the responsibility of the user of this document to properly design, program, and test the functionality and safety of any application made of this information and any resulting product. "High-Risk Device" means any device or system whose failure could cause personal injury, death, or property damage. Examples of High-Risk Devices are weapons, nuclear installations, surgical implants, and other medical devices. "Critical Component" means any component of a High-Risk Device whose failure to perform can be reasonably expected to cause, directly or indirectly, the failure of the High-Risk Device, or to affect its safety or effectiveness. Cypress is not liable, in whole or in part, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any use of a Cypress product as a Critical Component in a High-Risk Device. You shall indemnify and hold Cypress, including its affiliates, and its directors, officers, employees, agents, distributors, and assigns harmless from and against all claims, costs, damages, and expenses, arising out of any claim, including claims for product liability, personal injury or death, or property damage arising from any use of a Cypress product as a Critical Component in a High-Risk Device. Cypress products are not intended or authorized for use as a Critical Component in any High-Risk Device except to the limited extent that (i) Cypress's published data sheet for the product explicitly states Cypress has qualified the product for use in a specific High-Risk Device, or (ii) Cypress has given you advance written authorization to use the product as a Critical Component in the specific High-Risk Device and you have signed a separate indemnification agreement.
Cypress, the Cypress logo, and combinations thereof, ModusToolbox, PSoC, CAPSENSE, EZ-USB, F-RAM, and TRAVEO are trademarks or registered trademarks of Cypress or a subsidiary of Cypress in the United States or in other countries. For a more complete list of Cypress trademarks, visit www.infineon.com. Other names and brands may be claimed as property of their respective owners.