nf-interpreter/targets/TI_SimpleLink/_common/ssl_simplelink.cpp at 1f3b8b80c37e9f7d4f26d7b23a7d6a78a83d83b1 · nanoframework/nf-interpreter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
//
// Copyright (c) .NET Foundation and Contributors
// Portions Copyright (c) Texas Instruments Incorporated.  All rights reserved.
// See LICENSE file in the project root for full license information.
//

#include <nanoHal.h>
#include <ssl.h>
#include <targetHAL_ConfigurationManager_CC32xx.h>
#include <ssl_simplelink.h>
#include <targetSimpleLinkCC32xx_Threads.h>

#include <ti/net/slneterr.h>
#include <ti/net/slnetutils.h>
#include <ti/drivers/net/wifi/sl_socket.h>

//--//

// need to declare this here because the SimpleLink header doesn't have the appropriate C++ wrappers
extern "C"
{
    int32_t ClockSync_convert(uint32_t gmTime, struct tm *localTime);
}

// TODO
bool ssl_parse_certificate_internal(void *buf, size_t size, void *pwd, void *x509)
{
    (void)buf;
    (void)size;
    (void)pwd;
    (void)x509;
}

bool ssl_get_public_key_raw_internal(void *certificate, size_t size, void *x509RawData)
{
    (void)certificate;
    (void)size;
    (void)x509RawData;

    // can't really do anything here, so just return false
    return false;
}

int ssl_decode_private_key_internal(
    const unsigned char *key,
    size_t keyLength,
    const unsigned char *password,
    size_t passwordLength)
{
    (void)key;
    (void)keyLength;
    (void)password;
    (void)passwordLength;

    return 0;
}

int ssl_accept_internal(int socket, int contextHandle)
{
    (void)socket;
    (void)contextHandle;
}

bool ssl_add_cert_auth_internal(int contextHandle, const char *certificate, int certLength, const char *certPassword)
{
    (void)contextHandle;
    (void)certificate;
    (void)certLength;
    (void)certPassword;
}

// declared at sockets_simplelink
extern int socketErrorCode;

bool ssl_initialize_internal()
{
    memset(&g_SSL_Driver, 0, sizeof(g_SSL_Driver));

    return true;
}

bool ssl_generic_init_internal(
    int sslMode,
    int sslVerify,
    const char *certificate,
    int certLength,
    const uint8_t *privateKey,
    int privateKeyLength,
    const char *password,
    int passwordLength,
    int &contextHandle,
    bool useDeviceCertificate,
    bool isServer)
{
    (void)password;
    (void)passwordLength;
    (void)privateKey;
    (void)privateKeyLength;

    int sslContexIndex = -1;

    SlSSL_Context *context;
    SlNetSockSecAttrib_e attribName;
    int32_t status;
    uint32_t dummyVal = 1;
    uint8_t securityMethod;
    uint32_t securityCypher = SLNETSOCK_SEC_CIPHER_FULL_LIST;

    // we only have one CA root bundle, so this is fixed to 0
    uint32_t configIndex = 0;

    ///////////////////////
    for (uint32_t i = 0; i < ARRAYSIZE(g_SSL_Driver.ContextArray); i++)
    {
        if (g_SSL_Driver.ContextArray[i].Context == NULL)
        {
            sslContexIndex = i;
            break;
        }
    }

    if (sslContexIndex == -1)
        return false;

    // create and init nanoFramework Simple Link context
    // this needs to be freed in ssl_exit_context_internal
    context = (SlSSL_Context *)platform_malloc(sizeof(SlSSL_Context));
    if (context == NULL)
    {
        goto error;
    }

    // create security attribute
    // this is the equivalent of SSL context in MbedTLS
    // it needs to be freed in ssl_exit_context_internal
    context->SecurityAttributes = SlNetSock_secAttribCreate();
    if (context->SecurityAttributes == NULL)
    {
        goto error;
    }

    context->IsServer = isServer;

    // configure protocol
    switch ((SslProtocols)sslMode)
    {
        case SslProtocols_TLSv1:
            securityMethod = SLNETSOCK_SEC_METHOD_TLSV1;
            break;

        case SslProtocols_TLSv11:
            securityMethod = SLNETSOCK_SEC_METHOD_TLSV1_1;
            break;

        case SslProtocols_TLSv12:
            securityMethod = SLNETSOCK_SEC_METHOD_TLSV1_2;
            break;

        default:
            // shouldn't reach here!
            goto error;
    }

    status = SlNetSock_secAttribSet(
        context->SecurityAttributes,
        SLNETSOCK_SEC_ATTRIB_METHOD,
        (void *)&(securityMethod),
        sizeof(securityMethod));
    if (status < 0)
    {
        goto error;
    }

    // enable all cyphers (this is Simple Link default, so nothing to do about this)

    // CA root certs are taken from Simple Link trusted root-certificate catalog, so nothing to do here

    // // parse "own" certificate if passed
    // if(certificate != NULL && certLength > 0)
    // {
    //     // TODO
    //     // this isn't required for client authentication

    //     // mbedtls_x509_crt_init( &clicert );

    //     // /////////////////////////////////////////////////////////////////////////////////////////////////
    //     // // developer notes:                                                                            //
    //     // // this call parses certificates in both string and binary formats                             //
    //     // // when the formart is a string it has to include the terminator otherwise the parse will fail //
    //     // /////////////////////////////////////////////////////////////////////////////////////////////////
    //     // if(mbedtls_x509_crt_parse( &clicert, (const unsigned char*)certificate, certLength ) != 0)
    //     // {
    //     //     // x509_crt_parse_failed
    //     //     goto error;
    //     // }

    //     // if( mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key, mbedtls_test_cli_key_len,
    //     NULL, 0 ) != 0)
    //     // {
    //     //     // failed parsing the
    //     // }

    //     // if( mbedtls_tls_conf_own_cert( &conf, &clicert, &pkey ) != 0 )
    //     // {
    //     //     // configuring own certificate failed
    //     //     goto error;
    //     // }
    // }

    // set certificate verification
    // the current options provided by Simple Link API are only verify or don't verify
    if ((SslVerification)sslVerify == SslVerification_NoVerification)
    {
        status = SlNetSock_secAttribSet(
            context->SecurityAttributes,
            SLNETSOCK_SEC_ATTRIB_DISABLE_CERT_STORE,
            (void *)&dummyVal,
            sizeof(dummyVal));
        if (status < 0)
        {
            goto error;
        }
    }

    //////////////////////////////////////

    // the equivalent of SSL contex in Simple Link is the Security Attribute that we've been building
    g_SSL_Driver.ContextArray[sslContexIndex].Context = context;
    g_SSL_Driver.ContextCount++;

    contextHandle = sslContexIndex;

    return true;

error:

    // check for any memory allocation that needs to be freed before exiting
    if (context != NULL)
    {
        platform_free(context);
    }

    if (context->SecurityAttributes != NULL)
    {
        SlNetSock_secAttribDelete(context->SecurityAttributes);
    }

    return false;
}

bool ssl_exit_context_internal(int contextHandle)
{
    SlSSL_Context *context = NULL;

    // Check contextHandle range
    if ((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0) ||
        (g_SSL_Driver.ContextArray[contextHandle].Context == NULL))
    {
        return false;
    }

    context = (SlSSL_Context *)g_SSL_Driver.ContextArray[contextHandle].Context;
    if (context == NULL)
    {
        return false;
    }

    SlNetSock_secAttribDelete(context->SecurityAttributes);

    platform_free(context);

    memset(&g_SSL_Driver.ContextArray[contextHandle], 0, sizeof(g_SSL_Driver.ContextArray[contextHandle]));

    g_SSL_Driver.ContextCount--;

    return true;
}

int ssl_connect_internal(int sd, const char *szTargetHost, int contextHandle)
{
    SlSSL_Context *context;
    int32_t status;
    struct timespec ts;
    struct tm rtcTime;

    // Check contextHandle range
    if ((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0))
    {
        return SOCK_SOCKET_ERROR;
    }

    // Retrieve SSL context from g_SSL_Driver
    // sd should already have been created
    // Now do the SSL negotiation
    context = (SlSSL_Context *)g_SSL_Driver.ContextArray[contextHandle].Context;
    if (context == NULL)
    {
        return SOCK_SOCKET_ERROR;
    }

    // set socket in network context
    context->SocketFd = sd;

    if (szTargetHost != NULL && szTargetHost[0] != 0)
    {
        status = SlNetSock_secAttribSet(
            context->SecurityAttributes,
            SLNETSOCK_SEC_ATTRIB_DOMAIN_NAME,
            (void *)szTargetHost,
            hal_strlen_s(szTargetHost));
        if (status < 0)
        {
            // hostname_failed
            return status;
        }
    }

    // in order to validate certificates, the device has to have it's date/time set
    // get current time
    clock_gettime(CLOCK_REALTIME, &ts);

    // need to convert between structs
    ClockSync_convert(ts.tv_sec, &rtcTime);

    SlDateTime_t dateTime;
    dateTime.tm_sec = rtcTime.tm_sec;
    dateTime.tm_min = rtcTime.tm_min;
    dateTime.tm_hour = rtcTime.tm_hour;
    dateTime.tm_day = rtcTime.tm_mday;
    // tm_mon starts month 0
    dateTime.tm_mon = rtcTime.tm_mon + 1;
    // tm_year starts in 1970
    dateTime.tm_year = rtcTime.tm_year + 1970;

    sl_DeviceSet(SL_DEVICE_GENERAL, SL_DEVICE_GENERAL_DATE_TIME, sizeof(SlDateTime_t), (uint8_t *)(&dateTime));

    // DON'T setup socket for blocking operation

    // start security context on socket
    status = SlNetSock_startSec(
        context->SocketFd,
        context->SecurityAttributes,
        context->IsServer ? (SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY | SLNETSOCK_SEC_IS_SERVER)
                          : (SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY | SLNETSOCK_SEC_BIND_CONTEXT_ONLY));

    if ((status < 0) && (status != SLNETERR_ESEC_UNKNOWN_ROOT_CA) && (status != SLNETERR_ESEC_HAND_SHAKE_TIMED_OUT) &&
        (status != SLNETERR_ESEC_DATE_ERROR) && (status != SLNETERR_ESEC_SNO_VERIFY))
    {
        return status;
    }

    // got here, handshake is completed

    return 0;
}

int ssl_available_internal(int sd)
{
    // Simple Link doesn't have an API to check for available data
    // just return 0
    return 0;
}

int ssl_write_internal(int sd, const char *data, size_t req_len)
{
    int32_t status;

    socketErrorCode = SlNetSock_send(sd, (const void *)data, req_len, 0);

    // anything below 0 is considered an error, so we have to report that no bytes were sent
    if (socketErrorCode < 0)
    {
        return 0;
    }

    return req_len;
}

int ssl_read_internal(int sd, char *data, size_t size)
{
    socketErrorCode = SlNetSock_recv(sd, (unsigned char *)(data), size, 0);

    return socketErrorCode;
}

int ssl_close_socket_internal(int sd)
{
    // Simple Link takes care of everything for us, just call close socket
    SOCK_close(sd);

    return true;
}