/** * Copyright (c) 2016 - 2018, Nordic Semiconductor ASA * * All rights reserved. * * Redistribution and use in source and binary forms, with or without modification, * are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form, except as embedded into a Nordic * Semiconductor ASA integrated circuit in a product or a software update for * such product, must reproduce the above copyright notice, this list of * conditions and the following disclaimer in the documentation and/or other * materials provided with the distribution. * * 3. Neither the name of Nordic Semiconductor ASA nor the names of its * contributors may be used to endorse or promote products derived from this * software without specific prior written permission. * * 4. This software, with or without modification, must only be used with a * Nordic Semiconductor ASA integrated circuit. * * 5. Any software provided in binary form under this license must not be reverse * engineered, decompiled, modified and/or disassembled. * * THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include #include #include "nrf_error.h" #include "nrf_drv_rng.h" #include "app_fifo.h" #include "mem_manager.h" #include "mbedtls/ssl.h" #include "mbedtls/platform.h" #include "mbedtls/sha256.h" #include "mbedtls/debug.h" #include "nrf_tls.h" #include "nrf_assert.h" #include "iot_timer.h" #include "iot_errors.h" #if TLS_CONFIG_LOG_ENABLED #define NRF_LOG_MODULE_NAME TLS #define NRF_LOG_LEVEL TLS_CONFIG_LOG_LEVEL #define NRF_LOG_INFO_COLOR TLS_CONFIG_INFO_COLOR #define NRF_LOG_DEBUG_COLOR TLS_CONFIG_DEBUG_COLOR #include "nrf_log.h" NRF_LOG_MODULE_REGISTER(); #define TLS_LOG NRF_LOG_INFO /**< Used for getting trace of execution in the module. */ #define TLS_ERR NRF_LOG_ERROR /**< Used for logging errors in the module. */ #define TLS_DUMP NRF_LOG_HEXDUMP_DEBUG /**< Used for dumping octet information to get details of bond information etc. */ #define TLS_ENTRY() TLS_TRC(">> %s", __func__) #define TLS_EXIT() TLS_TRC("<< %s", __func__) #else // TLS_CONFIG_LOG_ENABLED #define TLS_LOG(...) /**< Disables traces. */ #define TLS_DUMP(...) /**< Disables dumping of octet streams. */ #define TLS_ERR(...) /**< Disables error logs. */ #define TLS_ENTRY(...) #define TLS_EXIT(...) #endif // TLS_CONFIG_LOG_ENABLED #define TIME_PERIOD_INVALID 0xFFFFFFFF /**< Identifier for invalid time period. Used for timer functions. */ #define TLS_MUTEX_LOCK() SDK_MUTEX_LOCK(m_tls_mutex) /**< Lock module using mutex */ #define TLS_MUTEX_UNLOCK() SDK_MUTEX_UNLOCK(m_tls_mutex) /**< Unlock module using mutex */ /** * @brief This macro is used for developer debugging. * * @note Not enabled nromally as too many logs result and this level of detail is needed * less frequently. */ #define TLS_TRC(...) /**@brief TLS interface. */ typedef struct { uint32_t transport_id; /**< Transport identifier provided by the application to map the TLS instance with associated transport. Set by the application on allocation. */ nrf_tls_output_t output_fn; /**< Output function registered by the application to write TLS data on the transport. */ app_fifo_t input_fifo; /**< Input FIFO used for queueing up data received from the transport. Data on the transport us*/ app_fifo_t output_fifo; /**< Output FIFO used for queueing up decrypted data received on the TLS interface. */ mbedtls_ssl_context context; /**< SSL context used by mBedTLS for managing the TLS instance. */ mbedtls_ssl_config conf; /**< Pointer to the configuration paramaters used for the instance. Memory is allocated on nrf_tls_alloc. */ #ifdef MBEDTLS_X509_CRT_PARSE_C mbedtls_pk_context pkey; /**< Private key information. Used only when own certificate is provided. */ mbedtls_x509_crt * p_owncert; /**< Own parsed certificate. */ mbedtls_x509_crt * p_cacert; /**< CA's parsed certificate. */ #endif // MBEDTLS_X509_CRT_PARSE_C /**@brief Timer management used to provide timeouts to the TLS library. */ uint32_t start_tick; /**< Indicator (in milliseconds) of when the timeout was requested. */ uint32_t intrmediate_delay; /**< Period indicating intermediate timeout period in milliseconds. */ uint32_t final_delay; /**< Final timeout period in milliseconds. */ } interface_t; #ifdef MBEDTLS_X509_CRT_PARSE_C /**@brief Input buffer size used for the input FIFO. * * @note For ECDHE-RSA, though the context length is set to a value smaller than 3072, a buffer size * of 4k is needed for the cloud sends a certificate that does not fit the size. * Also configuration of input FIFO is possible in powers of 2 therefore tuning this value to * a smaller FIFO size to exactly the size of certificate size is not possible. */ #define INPUT_BUFFER_SIZE 4096 #endif // MBEDTLS_X509_CRT_PARSE_C /**@brief Input buffer size when certificates are not used. */ #ifndef INPUT_BUFFER_SIZE #define INPUT_BUFFER_SIZE MBEDTLS_SSL_MAX_CONTENT_LEN #endif // INPUT_BUFFER_SIZE /**@brief Output buffer size. * * @note Limiting to 1024 instead of MBEDTLS_SSL_MAX_CONTENT_LEN due to RAM constraints. */ #define OUTPUT_BUFFER_SIZE 1024 static interface_t * m_interface[NRF_TLS_MAX_INSTANCE_COUNT]; /**< Interface table to manage the interfaces. */ static uint8_t m_input_buffer[INPUT_BUFFER_SIZE * NRF_TLS_MAX_INSTANCE_COUNT]; /**< Input buffer that is statically reserved. */ SDK_MUTEX_DEFINE(m_tls_mutex) /**< Mutex variable. Currently unused, this declaration does not occupy any space in RAM. */ /**@brief Initializes the interface. * * @param[in] index Identifies instance in m_interface table to be initialized. */ static __INLINE void interface_init(uint32_t index) { m_interface[index] = NULL; } /**@brief Wrapper function to avoid GCC errors with incompatible parameters. * * @param[in] n Number of blocks to be allocated. * @param[in] s Size of each block to be assigned. * * @retval Pointer to memory block if procedure succeeded. * @retval NULL if procedure failed. */ static __INLINE void * wrapper_calloc(size_t n, size_t s) { return nrf_calloc(n,s); } /**@brief Frees and allocated interface instance. * *@param[in] p_instance Identifies the interface instance to be freed. */ static void interface_free(uint32_t index) { interface_t * const p_interface = m_interface[index]; if (p_interface != NULL) { nrf_free(p_interface->input_fifo.p_buf); nrf_free(p_interface->output_fifo.p_buf); #ifdef MBEDTLS_X509_CRT_PARSE_C nrf_free(p_interface->p_cacert); nrf_free(p_interface->p_owncert); #endif // MBEDTLS_X509_CRT_PARSE_C mbedtls_ssl_config_free(&p_interface->conf); mbedtls_ssl_config_init(&p_interface->conf); mbedtls_ssl_free(&p_interface->context); nrf_free(p_interface); } interface_init(index); } /**@brief Allocates an interface instance. * * @param[inout] p_instance Provides transport identifier for the TLS instance. * And if procedure was successful, will conatin allocated TLS instance identifier. * @param[in] TLS options to be used for the instamce. * * @retval NRF_SUCCESS if the procedure was successful, else an error code indicating reason ( for failure. */ static uint32_t interface_alloc(nrf_tls_instance_t * p_instance, nrf_tls_options_t const * p_options) { uint32_t index = 0; uint32_t err_code = NRF_TLS_NO_FREE_INSTANCE; interface_t * p_interface = NULL; TLS_ENTRY(); // allocate meory for the TLS instance. for (index = 0; index < NRF_TLS_MAX_INSTANCE_COUNT; index++) { if (m_interface[index] == NULL) { err_code = (NRF_ERROR_NO_MEM | IOT_TLS_ERR_BASE); // Check if we have space to book keep the instance information. p_interface = nrf_malloc(sizeof(interface_t)); m_interface[index] = p_interface; break; } } if ((index < NRF_TLS_MAX_INSTANCE_COUNT)&& (p_interface != NULL)) { // Initialize the memory holding the sturcture. memset(p_interface, 0, sizeof(interface_t)); p_interface->output_fn = p_options->output_fn; // Found free instance. Allocate memory for input and output queues. uint8_t * p_input_memory = &m_input_buffer[INPUT_BUFFER_SIZE * index]; uint8_t * p_output_memory = (uint8_t *)nrf_malloc(OUTPUT_BUFFER_SIZE); TLS_LOG("Input memory address %p", p_input_memory); TLS_LOG("Output memory address %p", p_output_memory); if (p_output_memory != NULL) { // Initialize the instance. err_code = app_fifo_init(&p_interface->input_fifo, p_input_memory, INPUT_BUFFER_SIZE); TLS_LOG("Input FIFO init result %08lx", err_code); if (err_code == NRF_SUCCESS) { err_code = app_fifo_init(&p_interface->output_fifo, p_output_memory, OUTPUT_BUFFER_SIZE); TLS_LOG("Output FIFO init result %08lx", err_code); if (err_code == NRF_SUCCESS) { // All pre-requisites for using the instance met. // Procedure was successful. TLS_LOG("Ind"); p_interface->transport_id = p_instance->transport_id; p_instance->instance_id = index; } } if (err_code != NRF_SUCCESS) { err_code = (NRF_ERROR_INTERNAL | IOT_TLS_ERR_BASE); } } if (err_code != NRF_SUCCESS) { TLS_ERR("Allocation failed - Initialization procedures."); interface_free(index); } } else { TLS_ERR("Allocation failed - Inadequate memory."); } return err_code; } /**@brief Transport read function registered with the TLS library. * * @details Data read on the transport is fed to the interface using the nrf_tls_input function. * The TLS library requests the data based on state of SSL connection. * * @param[in] p_ctx Context registered with the library on creation of the TLS instance. * @param[out] p_buffer Buffer where read data is fetched. * @param[in] size Size to be read. * * @retval size of data read if procedure was successful. * @retval MBEDTLS_ERR_SSL_CONN_EOF indicating there is not enough data received on the transport. */ static int interface_transport_read(void * p_ctx, unsigned char * p_buffer, size_t buffer_size) { uint32_t err; uint32_t length = buffer_size; interface_t * const p_interface = m_interface[(uint32_t)p_ctx]; uint32_t available_size = 0; TLS_MUTEX_LOCK(); TLS_TRC("[%p]: interface_transport_read requested %08x", p_interface, buffer_size); // Verify how much data is available in the queue. err = app_fifo_read(&p_interface->input_fifo, NULL, &available_size); TLS_TRC("[%p]: interface_transport_read, app_fifo_read result %ld", p_interface, err); // For datagram connection, read all that is available. // For stream sockets, read only if available data is at least as much as requested. if (( (p_interface->conf.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) && (available_size > 0) )|| ( (p_interface->conf.transport == MBEDTLS_SSL_TRANSPORT_STREAM) && (available_size >= buffer_size)) ) { TLS_TRC("[%p]: interface_transport_read requested 0x%08x, available %08lx.", p_interface, buffer_size, available_size); err = app_fifo_read(&p_interface->input_fifo, p_buffer, &length); if (err == NRF_SUCCESS) { TLS_TRC("[%p]: interface_transport_read success, length 0x%08lx.", p_interface, length); TLS_TRC("[NRF TLS]: ---------------- SSL Read data --------------"); TLS_DUMP(p_buffer, length); TLS_TRC("[NRF TLS]: -------------------- End ------------------"); return length; } } else { TLS_TRC("[%p]: interface_transport_read requested size 0x%08x, " "available 0x%08lx.", p_interface, buffer_size, available_size); } TLS_MUTEX_UNLOCK(); return MBEDTLS_ERR_SSL_CONN_EOF; } /**@brief Write function that the TLS library calls to write on the transport. * * @param[in] p_ctx Context registered with the library on creation of the TLS instance. * @param[in] p_buf Buffer containing data to be written on the transport. * @param[in] len Length of data to be written. * * @retval length of data written on the transport if the procedure was successful. * @retval MBEDTLS_ERR_SSL_CONN_EOF in case the procedure failed. */ static int interface_transport_write(void * p_ctx, const unsigned char * p_buf, size_t len) { int op_len = len; interface_t * const p_interface = m_interface[(uint32_t)p_ctx]; TLS_MUTEX_LOCK(); const nrf_tls_instance_t handle = { .transport_id = p_interface->transport_id, .instance_id = (uint32_t)p_ctx }; TLS_LOG("[%p]: interface_transport_write requested 0x%08x", p_interface, len); TLS_MUTEX_UNLOCK(); uint32_t err_code = p_interface->output_fn(&handle, (uint8_t *)p_buf, len); TLS_MUTEX_LOCK(); if (err_code != NRF_SUCCESS) { op_len = MBEDTLS_ERR_SSL_CONN_EOF; } TLS_MUTEX_UNLOCK(); return op_len; } /** * @brief Random number generator registered with the TLS library to create random numbers * when needed. * * @param[in] p_ctx Context registered with the library on creation of the TLS instance. * @param[out] p_buffer Buffer where generated random vector is to be fetched. * @param[in] size Requested size of the random vector. * * @retval 0 when procedure is successful. * * @note This loop is time critical when available is less than requested size. */ static int random_vector_generate(void * p_ctx, unsigned char * p_buffer, size_t size) { uint8_t available = 0; ASSERT(size <= RNG_CONFIG_POOL_SIZE); while (available < size) { nrf_drv_rng_bytes_available(&available); TLS_TRC(">> random_vector_generate, requested 0x%08lx, available 0x%08x", size, available); } UNUSED_RETURN_VALUE(nrf_drv_rng_rand(p_buffer, size)); return 0; } /**@brief Routine called periodically to adavnce the SSL context state. * * @param[in] index Identifies the instance in m_interface to be serviced. */ static void interface_continue(interface_t * p_interface) { uint8_t * data = nrf_malloc(OUTPUT_BUFFER_SIZE); if (data != NULL) { int len; TLS_MUTEX_UNLOCK(); len = mbedtls_ssl_read(&p_interface->context, &data[0], OUTPUT_BUFFER_SIZE); TLS_MUTEX_LOCK(); TLS_TRC("[%p]:[0x%08lx]mbedtls_ssl_read result(len) 0x%08lx", p_interface, index, len); if (len > 0) { uint32_t write_len = len; uint32_t err_code = app_fifo_write(&p_interface->output_fifo, data, &write_len); if (err_code != NRF_SUCCESS) { TLS_LOG("Failed to write decrypted data."); } } nrf_free(data); } } /**@brief Debug log funciton registered with the TLS library. * * @param[in] p_ctx Context registered with the library on creation of the TLS instance. * @param[in] level Debug level of the log. * @param[in] p_file File requesting the log. * @param[in] line Line number in the file requesting the log. * @param[in] p_str String containing the log message. */ static void mbedtls_log(void * p_ctx, int level, const char * p_file, int line, const char * p_str) { TLS_LOG("[%s]:[%d]: %s", &p_file[strlen(p_file)-12], line, p_str); } /**@brief Function registered with TLS library to set (start/stop) timer. * * @param[in] p_ctx Context registered with the library on creation of the TLS instance. * @param[in] int_ms Intermediate timeout period in milliseconds. * @param[in] fin_ms Finaly timout period in milliseconds. * Value of zero indicates a request to stop the timer. */ static void tls_set_timer (void * p_ctx, uint32_t int_ms, uint32_t fin_ms) { TLS_MUTEX_LOCK(); interface_t * const p_interface = m_interface[(uint32_t)p_ctx]; if (fin_ms > 0) { TLS_TRC("[%p]: set_timer, start %d, final %d, intermediate %d", p_interface, p_interface->start_tick, p_interface->final_delay, p_interface->intrmediate_delay); uint32_t err_code = iot_timer_wall_clock_get(&p_interface->start_tick); if (err_code == NRF_SUCCESS) { p_interface->final_delay = fin_ms; p_interface->intrmediate_delay = int_ms; } } else { p_interface->start_tick = TIME_PERIOD_INVALID; p_interface->final_delay = TIME_PERIOD_INVALID; p_interface->intrmediate_delay = 0; } TLS_MUTEX_UNLOCK(); } /**@brief Function registered with TLS library to get the status of the timer. * * @param[in] p_ctx Context registered with the library on creation of the TLS instance. * * @retval -1 if timer is cancelled * @retval 0 if none of the delays is expired * @retval 1 if the intermediate delay only is expired * @retval 2 if the final delay is expired */ static int tls_get_timer (void * p_ctx) { TLS_MUTEX_LOCK(); iot_timer_time_in_ms_t elapsed_time; interface_t * const p_interface = m_interface[(uint32_t)p_ctx]; uint32_t err_code = iot_timer_wall_clock_delta_get(&p_interface->start_tick, &elapsed_time); TLS_TRC("[%p]:get_timer, start %d, final %d, intermediate %d, elapsed %d", p_interface, p_interface->start_tick, p_interface->final_delay, p_interface->intrmediate_delay, elapsed_time); if (err_code == NRF_SUCCESS) { if (p_interface->final_delay <= elapsed_time) { return 2; } else if (p_interface->intrmediate_delay <= elapsed_time) { return 1; } else { if ((p_interface->intrmediate_delay == TIME_PERIOD_INVALID) && (p_interface->final_delay == TIME_PERIOD_INVALID)) { return -1; } } } TLS_MUTEX_UNLOCK(); return 0; } /**@brief Prints/displays the configuration of the interface. Used for debugging purposes. * * @param[in] p_interface Identifies the instance whose ssl configuration is to be printed. */ static void interface_conf_debug_print(interface_t * p_interface) { TLS_TRC("[%p] SSL Conf", p_interface); for (int i = 0; i < 4; i++) { TLS_TRC("\t Cipger Suites : %02d", i); TLS_TRC("\t\t\tCiphersuite[0] = %02d", p_interface->conf.ciphersuite_list[i][0]); TLS_TRC("\t\t\tCiphersuite[1] = %02d", p_interface->conf.ciphersuite_list[i][1]); TLS_TRC("\t\t\tCiphersuite[2] = %02d", p_interface->conf.ciphersuite_list[i][2]); TLS_TRC("\t\t\tCiphersuite[3] = %02d", p_interface->conf.ciphersuite_list[i][3]); } TLS_TRC("\t\tf_dbg = %p", p_interface->conf.f_dbg); TLS_TRC("\t\tp_dbg = %p", p_interface->conf.p_dbg); TLS_TRC("\t\tf_rng = %p", p_interface->conf.f_rng); TLS_TRC("\t\tp_rng = %p", p_interface->conf.p_rng); TLS_TRC("\t\tf_get_cache = %p", p_interface->conf.f_get_cache); TLS_TRC("\t\tf_set_cache = %p", p_interface->conf.f_set_cache); TLS_TRC("\t\tf_set_cache = %p", p_interface->conf.p_cache); TLS_TRC("\t\tf_vrfy = %p", p_interface->conf.f_vrfy); TLS_TRC("\t\tp_vrfy = %p", p_interface->conf.p_vrfy); TLS_TRC("\t\tcert_profile = %p", p_interface->conf.cert_profile); TLS_TRC("\t\tkey_cert = %p", p_interface->conf.key_cert); TLS_TRC("\t\tca_chain = %p", p_interface->conf.ca_chain); TLS_TRC("\t\tca_crl = %p", p_interface->conf.ca_crl); TLS_TRC("\t\tmax_major_ver = %2d", p_interface->conf.max_major_ver); TLS_TRC("\t\tmax_minor_ver = %2d", p_interface->conf.max_minor_ver); TLS_TRC("\t\tmin_major_ver = %2d", p_interface->conf.min_major_ver); TLS_TRC("\t\tmax_major_ver = %2d", p_interface->conf.max_major_ver); } /**@brief Sets up own certificate on the interface instance. * * @param[in] p_interface TLS interface instance for which the procedure is requested. * @param[in] p_own Supplies own certifcate setup information. * * @retval NRF_SUCCESS if the procedure was successful, else an error code indicating reason for * failure. */ static uint32_t own_certificate_set(interface_t * const p_interface, nrf_tls_certificate_t const * p_own) { #ifdef MBEDTLS_X509_CRT_PARSE_C uint32_t error_code = (NRF_ERROR_NO_MEM | IOT_TLS_ERR_BASE); int result; p_interface->p_owncert = nrf_malloc(sizeof(mbedtls_x509_crt)); if (p_interface->p_owncert) { mbedtls_x509_crt_init(p_interface->p_owncert); result = mbedtls_x509_crt_parse(p_interface->p_owncert, p_own->p_certificate, p_own->certificate_len); if ( result == 0 ) { mbedtls_pk_init( &p_interface->pkey ); result = mbedtls_pk_parse_key(&p_interface->pkey, p_own->p_private_key, p_own->private_key_len, NULL, 0 ); result = mbedtls_ssl_conf_own_cert(&p_interface->conf, p_interface->p_owncert, &p_interface->pkey); if (result != 0) { error_code = NRF_TLS_OWN_CERT_SETUP_FAILED; } else { error_code = NRF_SUCCESS; } } else { error_code = NRF_TLS_OWN_CERT_SETUP_FAILED; } } return error_code; #else return NRF_SUCCESS; #endif // MBEDTLS_X509_CRT_PARSE_C } /**@brief Sets up verification option for the interfce, * * @param[in] p_interface TLS interface instance for which the procedure is requested. * @param[in] p_settings Key setting supplying CA PEM file. * * @retval NRF_SUCCESS if the procedure was successful, else an error code indicating reason for * failure. */ static uint32_t verify_options_set(interface_t * const p_interface, nrf_tls_key_settings_t const * p_settings) { uint32_t err_code = NRF_SUCCESS; #ifdef MBEDTLS_X509_CRT_PARSE_C if ((p_settings != NULL) && (p_settings->p_ca_cert_pem != NULL)) { mbedtls_ssl_conf_authmode(&p_interface->conf, MBEDTLS_SSL_VERIFY_REQUIRED ); p_interface->p_cacert = nrf_malloc(sizeof(mbedtls_x509_crt)); if (p_interface->p_cacert != NULL) { // Initialize ca certificate. mbedtls_x509_crt_init(p_interface->p_cacert); int result = mbedtls_x509_crt_parse(p_interface->p_cacert, p_settings->p_ca_cert_pem, p_settings->ca_cert_pem_len); if ( result < 0 ) { err_code = NRF_TLS_INVALID_CA_CERTIFICATE; } else { mbedtls_ssl_conf_ca_chain(&p_interface->conf, p_interface->p_cacert, NULL); } } else { err_code = (NRF_ERROR_NO_MEM | IOT_TLS_ERR_BASE); } } else #endif // MBEDTLS_X509_CRT_PARSE_C { mbedtls_ssl_conf_authmode(&p_interface->conf, MBEDTLS_SSL_VERIFY_NONE); } return err_code; } /**@brief Sets up the configuration for SSL context according to the options specificed. * * @param[in] instance_id Identifies the TLS instance for which the procedure is requested. * @param[in] p_options Supplies options to be used for the configuration. * * @retval NRF_SUCCESS if the procedure was successful, else an error indicating reason * for failure. */ static uint32_t interface_conf_setup(uint32_t instance_id, nrf_tls_options_t const * p_options) { int result = 0; interface_t * p_interface = m_interface[instance_id]; uint32_t err_code = NRF_TLS_CONFIGURATION_FAILED; mbedtls_ssl_config_init(&p_interface->conf); result = mbedtls_ssl_config_defaults(&p_interface->conf, p_options->role, p_options->transport_type, MBEDTLS_SSL_PRESET_DEFAULT); mbedtls_ssl_conf_rng(&p_interface->conf, random_vector_generate, NULL); mbedtls_ssl_conf_dbg(&p_interface->conf, mbedtls_log, NULL); TLS_TRC("[%p]: mbedtls_ssl_config_defaults result %08lx", p_conf, result); #ifdef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED if (result == 0) { if ((p_options->p_key_settings != NULL) && (p_options->p_key_settings->p_psk != NULL)) { result = mbedtls_ssl_conf_psk(&p_interface->conf, p_options->p_key_settings->p_psk->p_secret_key, p_options->p_key_settings->p_psk->secret_key_len, p_options->p_key_settings->p_psk->p_identity, p_options->p_key_settings->p_psk->identity_len); } } #endif // MBEDTLS_KEY_EXCHANGE_PSK_ENABLED if (result == 0) { if (p_options->p_key_settings->p_own_certificate != NULL) { err_code = own_certificate_set(p_interface, p_options->p_key_settings->p_own_certificate); } else { err_code = NRF_SUCCESS; } } if (err_code == NRF_SUCCESS) { err_code = verify_options_set(p_interface, p_options->p_key_settings); } #ifdef MBEDTLS_SSL_PROTO_DTLS if (err_code == NRF_SUCCESS) { if (p_interface->conf.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { mbedtls_ssl_conf_min_version(&p_interface->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); mbedtls_ssl_conf_max_version(&p_interface->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); if (p_options->transport_type == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { mbedtls_ssl_conf_handshake_timeout(&p_interface->conf, (MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN * 2), (MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN * 2)); } } } #endif // MBEDTLS_SSL_PROTO_DTLS interface_conf_debug_print(p_interface); return err_code; } /**@brief Sets up the SSL context according to the options specificed. * * @param[in] instance_id Identifies the TLS instance for which the procedure is requested. * * @retval NRF_SUCCESS if the procedure was successful, else an error indicating reason for * failure. * * @note For client roles, handshake prcoedure is initiated here. */ static uint32_t interface_ssl_context_setup(uint32_t instance_id) { int result = 0; interface_t * p_interface = m_interface[instance_id]; TLS_TRC("[%p]: Major number: 0x%08lx Minor number: 0x%08lx", p_conf, p_conf->min_major_ver, p_conf->min_minor_ver); mbedtls_ssl_init(&p_interface->context); result = mbedtls_ssl_setup(&p_interface->context, &p_interface->conf); TLS_LOG("mbedtls_ssl_setup result %d",result); if (result == 0) { //ssl_set_ciphersuites(&p_interface->context, default_ciphers); mbedtls_ssl_set_bio(&p_interface->context, (void *)instance_id, interface_transport_write, interface_transport_read, NULL); if (p_interface->conf.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { mbedtls_ssl_set_timer_cb(&p_interface->context, (void *)instance_id, tls_set_timer, tls_get_timer); } TLS_MUTEX_UNLOCK(); result = mbedtls_ssl_handshake(&p_interface->context); TLS_MUTEX_LOCK(); TLS_LOG("mbedtls_ssl_handshake result %d", result); if (result == MBEDTLS_ERR_SSL_CONN_EOF) { result = 0; } } return (result ? (NRF_ERROR_INTERNAL | IOT_TLS_ERR_BASE) : NRF_SUCCESS); } uint32_t nrf_tls_init(void) { uint32_t index = 0; SDK_MUTEX_INIT(m_tls_mutex); do { interface_init(index); index++; } while (index < NRF_TLS_MAX_INSTANCE_COUNT); UNUSED_RETURN_VALUE(mbedtls_platform_set_calloc_free(wrapper_calloc, nrf_free)); #ifdef MBEDTLS_DEBUG_C mbedtls_debug_set_threshold(2); #endif // MBEDTLS_DEBUG_C UNUSED_RETURN_VALUE(nrf_drv_rng_init(NULL)); return NRF_SUCCESS; } uint32_t nrf_tls_alloc(nrf_tls_instance_t * p_instance, nrf_tls_options_t const * p_options) { uint32_t err_code = (NRF_ERROR_NO_MEM | IOT_TLS_ERR_BASE); TLS_MUTEX_LOCK(); err_code = interface_alloc(p_instance, p_options); if (err_code == NRF_SUCCESS) { err_code = interface_conf_setup(p_instance->instance_id, p_options); } if (err_code == NRF_SUCCESS) { err_code = interface_ssl_context_setup(p_instance->instance_id); } if (err_code != NRF_SUCCESS) { interface_free(p_instance->instance_id); } TLS_MUTEX_UNLOCK(); return err_code; } uint32_t nrf_tls_input(nrf_tls_instance_t const * p_instance, uint8_t const * p_data, uint32_t datalen) { uint32_t actual_size = 0; uint32_t err_code = (NRF_ERROR_NOT_FOUND | IOT_TLS_ERR_BASE); TLS_MUTEX_LOCK(); if ((p_instance->instance_id < NRF_TLS_MAX_INSTANCE_COUNT) && (m_interface[p_instance->instance_id] != NULL)) { interface_t * const p_interface = m_interface[p_instance->instance_id]; // Verify all data can be queued in the FIFO. err_code = app_fifo_write(&p_interface->input_fifo, NULL, &actual_size); if (err_code == NRF_SUCCESS) { // Avoid partial write. if (datalen <= actual_size) { actual_size = datalen; err_code = app_fifo_write(&p_interface->input_fifo, p_data, &actual_size); TLS_TRC("[%p]: >> nrf_tls_input datalen 0x%08lx result 0x%08lx", p_interface, datalen, retval); } else { TLS_LOG("[%p]: Failed to queue input. " "Available 0x%08lx, requested 0x%08lx", p_interface, actual_size, datalen); } interface_continue(p_interface); } else { // Not enough room in the FIFO, indicate error. return (NRF_ERROR_NO_MEM | IOT_TLS_ERR_BASE); } } TLS_MUTEX_UNLOCK(); return err_code; } uint32_t nrf_tls_read(nrf_tls_instance_t const * p_instance, uint8_t * p_data, uint32_t * p_datalen) { uint32_t err_code = (NRF_ERROR_NOT_FOUND | IOT_TLS_ERR_BASE); TLS_MUTEX_LOCK(); if ((p_instance->instance_id < NRF_TLS_MAX_INSTANCE_COUNT) && (m_interface[p_instance->instance_id] != NULL)) { interface_t * const p_interface = m_interface[p_instance->instance_id]; err_code = app_fifo_read(&p_interface->output_fifo, p_data, p_datalen); } TLS_MUTEX_UNLOCK(); return err_code; } uint32_t nrf_tls_write(nrf_tls_instance_t const * p_instance, uint8_t const * p_data, uint32_t * p_datalen) { uint32_t err_code = (NRF_ERROR_NOT_FOUND | IOT_TLS_ERR_BASE); TLS_MUTEX_LOCK(); if ((p_instance->instance_id < NRF_TLS_MAX_INSTANCE_COUNT) && (m_interface[p_instance->instance_id] != NULL)) { interface_t * const p_interface = m_interface[p_instance->instance_id]; int actual_len = (*p_datalen); TLS_MUTEX_UNLOCK(); actual_len = mbedtls_ssl_write(&p_interface->context, p_data, actual_len); TLS_MUTEX_LOCK(); if (actual_len < 0) { err_code = (NRF_ERROR_INTERNAL | IOT_TLS_ERR_BASE); if (actual_len == MBEDTLS_ERR_SSL_CONN_EOF) { if (p_interface->context.state < MBEDTLS_SSL_HANDSHAKE_OVER) { err_code = NRF_TLS_HANDSHAKE_IN_PROGRESS; } } } else { (* p_datalen) = actual_len; err_code = NRF_SUCCESS; } } TLS_MUTEX_UNLOCK(); return err_code; } uint32_t nrf_tls_free(nrf_tls_instance_t const * p_instance) { uint32_t err_code = (NRF_ERROR_NOT_FOUND | IOT_TLS_ERR_BASE); TLS_MUTEX_LOCK(); if ((p_instance->instance_id < NRF_TLS_MAX_INSTANCE_COUNT) && (m_interface[p_instance->instance_id] != NULL)) { interface_free(p_instance->instance_id); err_code = NRF_SUCCESS; } TLS_MUTEX_UNLOCK(); return err_code; } void nrf_tls_process(void) { uint32_t index; TLS_MUTEX_LOCK(); for (index = 0; index < NRF_TLS_MAX_INSTANCE_COUNT; index++) { if (m_interface[index] != NULL) { interface_continue(m_interface[index]); } } TLS_MUTEX_UNLOCK(); }