tls support

Author: mmoskal

boards/partitions.csv

@@ -1,5 +1,5 @@
 # Name,     Type, SubType,  Offset,  Size,    Flags
 dcfg,       0x8A, 0x00,     0x9000,  0x2000,
 phy_init,   data, phy,      0xf000,  0x1000,
-factory,    app,  factory,  0x10000, 1M,
-nvs,        data, nvs,      ,  128K,
+factory,    app,  factory,  0x10000, 1728K,
+nvs,        data, nvs,      ,  256K,

devicescript

@@ -8,6 +8,16 @@
 #include "lwip/netdb.h"
 #include "lwip/dns.h"
 
+#include "mbedtls/platform.h"
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/esp_debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/error.h"
+#include "mbedtls/certs.h"
+#include "esp_crt_bundle.h"
+
 #define LOG(fmt, ...) DMESG("SOCK: " fmt, ##__VA_ARGS__)
 #if 1
 #define LOGV(...) ((void)0)
@@ -19,6 +29,26 @@
 
 static xQueueHandle sock_cmds;
 static xQueueHandle sock_events;
+static uint8_t sockbuf[128];
+
+typedef struct {
+    mbedtls_ssl_context ssl;
+    mbedtls_ctr_drbg_context ctr_drbg; // rng
+    mbedtls_ssl_config conf;
+    mbedtls_entropy_context entropy;
+    mbedtls_net_context server_fd;
+    bool is_tls;
+    bool is_connected;
+
+#if 0
+    mbedtls_x509_crt cacert;
+    mbedtls_x509_crt *cacert_ptr;
+    mbedtls_x509_crt clientcert;
+    mbedtls_pk_context clientkey;
+#endif
+} sock_state_t;
+
+static sock_state_t _tls;
 
 typedef struct {
     unsigned ev;
@@ -49,6 +79,10 @@ static void push_event(unsigned event, const void *data, unsigned size) {
     xQueueSend(sock_events, &evt, 20);
 }
 
+static bool needs_io(int ret) {
+    return (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE);
+}
+
 static void push_error(const char *msg) {
     push_event(JD_CONN_EV_ERROR, msg, strlen(msg));
 }
@@ -67,16 +101,34 @@ static void raise_error(const char *msg) {
     }
 }
 
-static int sock_create_and_connect(const char *hostname, const char *port_num) {
+static int mbedtls_print_error_msg(const char *fn, int error) {
+    LOG("%s returned -%x", fn, -error);
+    mbedtls_strerror(error, (char *)sockbuf, sizeof(sockbuf));
+    LOG("  %s", sockbuf);
+    raise_error(fn);
+    return -1;
+}
+
+static int sock_create_and_connect(const char *hostname, int port) {
     struct addrinfo hints = {
         .ai_family = AF_UNSPEC,
         .ai_socktype = SOCK_STREAM,
     };
     struct addrinfo *result;
 
-    int s = getaddrinfo(hostname, port_num, &hints, &result);
+    bool is_tls = false;
+
+    if (port < 0) {
+        port = -port;
+        is_tls = true;
+    }
+
+    char portbuf[10];
+    jd_sprintf(portbuf, sizeof(portbuf), "%d", port);
+
+    int s = getaddrinfo(hostname, portbuf, &hints, &result);
     if (s) {
-        LOG("getaddrinfo %s:%s: %d", hostname, port_num, s);
+        LOG("getaddrinfo %s:%d: %d", hostname, port, s);
         push_error("can't resolve host");
         return -1;
     }
@@ -94,7 +146,7 @@ static int sock_create_and_connect(const char *hostname, const char *port_num) {
         }
 
         if (rp->ai_next == NULL) {
-            LOG("connect %s:%s: %s", hostname, port_num, strerror(errno));
+            LOG("connect %s:%d: %s", hostname, port, strerror(errno));
             push_error("can't connect");
         }
 
@@ -106,18 +158,72 @@ static int sock_create_and_connect(const char *hostname, const char *port_num) {
     if (sockfd < 0)
         return sockfd;
 
-    LOG("connected to %s:%s", hostname, port_num);
-    return sockfd;
+    LOG("connected to %s:%d", hostname, port);
+
+    sock_fd = sockfd;
+
+    if (!is_tls)
+        return 0;
+
+    sock_state_t *tls = &_tls;
+    mbedtls_ssl_init(&tls->ssl);
+    mbedtls_ctr_drbg_init(&tls->ctr_drbg);
+    mbedtls_ssl_config_init(&tls->conf);
+    mbedtls_entropy_init(&tls->entropy);
+    tls->is_tls = true;
+    tls->server_fd.fd = sockfd;
+
+    int ret;
+
+    if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, hostname)) != 0)
+        return mbedtls_print_error_msg("mbedtls_ssl_set_hostname", ret);
+
+    if ((ret = mbedtls_ssl_config_defaults(&tls->conf, MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
+        return mbedtls_print_error_msg("mbedtls_ssl_config_defaults", ret);
+
+    mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+    esp_crt_bundle_attach(&tls->conf);
+
+    if ((ret = mbedtls_ctr_drbg_seed(&tls->ctr_drbg, mbedtls_entropy_func, &tls->entropy, NULL,
+                                     0)) != 0)
+        return mbedtls_print_error_msg("mbedtls_ctr_drbg_seed", ret);
+
+    mbedtls_ssl_conf_rng(&tls->conf, mbedtls_ctr_drbg_random, &tls->ctr_drbg);
+
+    // 2-warn 3-debug 4-verbose
+    // mbedtls_esp_enable_debug_log(&tls->conf, 3);
+
+    if ((ret = mbedtls_ssl_setup(&tls->ssl, &tls->conf)) != 0)
+        return mbedtls_print_error_msg("mbedtls_ssl_setup", ret);
+
+    mbedtls_ssl_set_bio(&tls->ssl, &tls->server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
+
+    for (;;) {
+        ret = mbedtls_ssl_handshake(&tls->ssl);
+        if (ret == 0)
+            break;
+
+        if (!needs_io(ret))
+            return mbedtls_print_error_msg("mbedtls_ssl_handshake", ret);
+
+        vTaskDelay(10);
+    }
+
+    mbedtls_net_set_nonblock(&tls->server_fd);
+
+    LOG("TLS handshake completed with %s:%d", hostname, port);
+
+    return 0;
 }
 
 static void process_open(sock_cmd_t *cmd) {
     jd_tcpsock_close();
-    char *port_num = jd_sprintf_a("%d", cmd->open.port);
-    int r = sock_create_and_connect(cmd->open.hostname, port_num);
-    jd_free(port_num);
+    int r = sock_create_and_connect(cmd->open.hostname, cmd->open.port);
     jd_free(cmd->open.hostname);
-    if (r > 0) {
-        sock_fd = r;
+    if (r == 0) {
+        _tls.is_connected = true;
         push_event(JD_CONN_EV_OPEN, NULL, 0);
     }
 }
@@ -135,10 +241,36 @@ static int forced_write(int fd, const void *buf, size_t nbytes) {
     return numread;
 }
 
+static int sock_mbedtls_write(sock_state_t *tls, const uint8_t *data, size_t datalen) {
+    JD_ASSERT(datalen < MBEDTLS_SSL_OUT_CONTENT_LEN);
+
+    size_t written = 0;
+    size_t write_len = datalen;
+    while (written < datalen) {
+        ssize_t ret = mbedtls_ssl_write(&tls->ssl, data + written, write_len);
+        if (ret <= 0) {
+            if (ret != 0 && !needs_io(ret)) {
+                return mbedtls_print_error_msg("mbedtls_ssl_write", ret);
+            } else {
+                vTaskDelay(5);
+            }
+        }
+        written += ret;
+        write_len = datalen - written;
+    }
+    return written;
+}
+
 static void process_write(sock_cmd_t *cmd) {
     unsigned size = cmd->write.size;
     uint8_t *buf = cmd->write.data;
-    if (sock_fd) {
+
+    sock_state_t *tls = &_tls;
+
+    if (tls->is_tls) {
+        LOGV("wrTLS %u b", size);
+        sock_mbedtls_write(tls, buf, size);
+    } else if (sock_fd) {
         LOGV("wr %u b", size);
         if (forced_write(sock_fd, buf, size) != (int)size)
             raise_error("write error");
@@ -151,6 +283,17 @@ void jd_tcpsock_close(void) {
         close(sock_fd);
         sock_fd = 0;
     }
+
+    sock_state_t *tls = &_tls;
+    tls->is_connected = false;
+    if (tls->is_tls) {
+        // mbedtls_ssl_session_reset(&tls->ssl);
+        mbedtls_entropy_free(&tls->entropy);
+        mbedtls_ssl_config_free(&tls->conf);
+        mbedtls_ctr_drbg_free(&tls->ctr_drbg);
+        mbedtls_ssl_free(&tls->ssl);
+        tls->is_tls = 0;
+    }
 }
 
 int jd_tcpsock_new(const char *hostname, int port) {
@@ -200,6 +343,8 @@ static void worker_main(void *arg) {
 }
 
 void jd_tcpsock_init(void) {
+    esp_log_level_set("mbedtls", ESP_LOG_DEBUG);
+
     // The main task is at priority 1, so we're higher priority (run "more often").
     // Timer task runs at much higher priority (~20).
     unsigned stack_size = 4096;
@@ -210,32 +355,53 @@ void jd_tcpsock_init(void) {
 }
 
 void jd_tcpsock_process(void) {
-    static uint8_t sockbuf[128];
-
     sock_event_t evt;
     while (xQueueReceive(sock_events, &evt, 0)) {
         jd_tcpsock_on_event(evt.ev, evt.data, evt.size);
     }
 
-    if (!sock_fd)
+    sock_state_t *tls = &_tls;
+
+    if (!tls->is_connected)
         return;
 
     for (;;) {
-        int r = recv(sock_fd, sockbuf, sizeof(sockbuf), MSG_DONTWAIT);
-        if (r == 0) {
-            raise_error(NULL);
-            return;
-        }
-        if (r > 0) {
-            LOGV("rd %d", r);
-            jd_tcpsock_on_event(JD_CONN_EV_MESSAGE, sockbuf, r);
+        if (tls->is_tls) {
+            int ret = mbedtls_ssl_read(&tls->ssl, sockbuf, sizeof(sockbuf));
+
+            if (needs_io(ret))
+                return;
+
+            if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY || ret == 0) {
+                raise_error(NULL);
+                return;
+            }
+
+            if (ret < 0) {
+                mbedtls_print_error_msg("mbedtls_ssl_read", ret);
+                return;
+            }
+
+            LOGV("rdTLS %d", ret);
+            jd_tcpsock_on_event(JD_CONN_EV_MESSAGE, sockbuf, ret);
         } else {
-            if (errno == EAGAIN || errno == EWOULDBLOCK)
-                break;
-            else {
-                raise_error("recv error");
+            int r = recv(sock_fd, sockbuf, sizeof(sockbuf), MSG_DONTWAIT);
+            if (r == 0) {
+                raise_error(NULL);
                 return;
             }
+
+            if (r > 0) {
+                LOGV("rd %d", r);
+                jd_tcpsock_on_event(JD_CONN_EV_MESSAGE, sockbuf, r);
+            } else {
+                if (errno == EAGAIN || errno == EWOULDBLOCK)
+                    break;
+                else {
+                    raise_error("recv error");
+                    return;
+                }
+            }
         }
     }
 }